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(54) Email access control scheme tor communication network using identification concealment 
mechanism 



(57) An email access control scheme capable of 
resolving problems of the real email address and ena- 
bling a unique identification of the identity of the user 
while concealing the user identification is disclosed. A 
personalized access ticket containing a sender's identi- 
fication and a recipients identification in correspond- 
ence is to be presented by a sender who wishes to send 
an email to a recipient so as to specify the recipient as 
an intended destination of the email. Then, accesses 
between the sender and the recipient by verifying an 
access right of the sender with respect to the recipient 



according to the personalized access ticket at a secure 
communication service. Also, an official Sdertaicafion of 
each user by which each user is uniquely identifiable by 
a certification authority, and an anonymous identifica- 
tion of each user containing at least one fragment of the 
office! identification are defined, and each user is iden- 
tified by the anonymous identification of each user in 
communications for emails on a communication net- 
work 
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Description 

BACKGROUND OF THE INVENTION 

FIELD OF THE INVENTION 5 

[0001] The present invention relates to an email 
access control scheme for controlling transmission and 
reception of emails by controlling accesses for commu- 
nications from other users whose identifications on the 10 
communication network are concealed while concealing 
an identification of a recipient on the communication 
network. 

DESCRIPTION OF THE BACKGROUND ART 75 

J0002] In conjunction with the spread of the Internet, 
the SPAM and the harassment using emails are drasti- 
cally increasing. The SPAM is a generic name for emails 
or news that are unilaterally sent without any considera- 20 
tton to the recipient's time consumption, economical 
and mental burdens. The SPAM using emails are also 
known as USE (Unsolicited Bulk Emails) or UCE (Unso- 
licited Commerciai Emails). 

[0003] The SRAM is sent incfiscrirninatefy regardless 26 
of the recipient's age, sex. interests, etc., so that the 
SPAM often contains an uninteresting or unpleasant 
content tor the recipient Moreover, the time consump- 
tion load and the economical toad required for receiving 
the SPAM is not so small. For the business user, the 30 
SPAM can cause the lowering of the working efficiency 
as it becomes hard to find important mails that are bur- 
ied among the SPAM. Also, as the SPAM is sent to a 
huge number of users, the SPAM wastes the network 
resources and in the worst case the SPAM can cause 35 
the overloading. As a result there case be cases where 
mails that are important for the user may be tost. Also, 
the SPAM is sent either anonymously or by pretending 
someone else so that there is a need to provide some 
human resources to hartal e complaints . 40 
[0004] On the other hand, the harassment is an act for 
keep sending mails with unpleasant contents for the 
user continually on the purpose of causing mental 
agony or exerting economical and time consumption 
burdens to the specific user. Similarly as the SPAM, the 45 
harassment mails are sent by pretending an actual or 
virtual third person, so that the identification of the 
sender is quite difficult Also, there are cases where a 
large capacity mail is sent or a large amount of mails are 
sent in short period of time so that there is a danger of so 
causing the system breakdown. 
[0005] In order to deal with the SPAM and the harass- 
ment the mail system is required to satisfy the following 
requirements. 

55 

* Security 

It is necessary to detect the pretending by the 
sender and refuse the delivery from the pretending 



sender. 

* Strength 

It is necessary to limit the mail capacity in order 
to circumvent the system breakdown due to the 
large capacity mail. It is also necessary to Emit the 
number of transmissions in order to circumvent the 
system breakdown due to the large amount trans- 
mission. 

* Pj-_n. nl *4- -|*«. , 

uompaiiOnny 

It is necessary not to require a considerable 
change to the inplementation of the existing mail 
system 

* Handling 

It is necessary not to require a considerable 
change to the handling of the existing mail system 

The MTA (message Transfer Agent) such as 
sendmailandqmail detects the forgery of the enve- 
lope information and the header information and 
refuses the de&very. The MIA also refuses mail 
receiving from a mail server which is a source of the 
SPAM by referring to the so cafled black list such as 
MAPS RBL The MTA ateo detects the transmission 
using someone else's real email address and 
refuses the de&very by carrying out the signature 
verification using PGP. S/MIME, TLS, etc. The MTA 
also limits the message length by partial deletion of 
the message text 

One of the causes of the SRAM and the harass- 
ment is the real email address, and the real email 
address is associated with the following problems, 

* User's identity can be guessed from real email 
address: 

The real email address contains an information 
useful in guessing the identity so that it can be used 
in selecting the harassment target For example, 
the place of employment can be identified from the 
real domain. Also, the name and the sex can be 
guessed from the user name. 

* Real email address can be guessed from user's 
identity: 

The real email address has a universal format 
of [user name}#[domain name] so that the real 
email address can be guessed if the user's identity 
is known, without an explicit knowledge of the real 
email address itself. For example, if the user's real 
name is known, the candidates for the user name 
can be enumerated. Also, if the user's affiliation is 
known, the candidates for the domain name can be 
enumerated. Even in the case where the user name 
is given by a character string which is totally unre- 
lated to the real name, if the naming rule for the 
user name is known, the user name can be 
guessed by trial and error transmissions. 

* Real email address is transferrabie: 

The real email address can be transferred from 
one person to another, so that mails can be trans- 
mitted even if the real email address is not taught by 
the holder himself. The transfer of real email 
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address through mails includes the following cases. 
By specifying the other's real email address in the 
cc: 6ne of the mail, that real email address can be 
transferred to all the recipients specified in the To: 
line of the mail. Abo. by forwarc5ng the mail that 
contains the real email address of the recipient 
specified in the To: line in the message text to a 
third person, that real email address can be trans- 
ferred to the third person. 
* Real email address is hard to cancel: 

ft is difficult to cancel the real email address 
because rf the real email address is cancelled it 
becomes impossible to read not only the SPAM and 
the harassment mails but also the important mails 
as well. 

(0006] Cypherpunk r email ers and Mixmaster remail- 
ers which are collectively known as Anonymous remail- 
ers use a scheme for delivering mails after encrypting 
the real email address and the real domain of the 
sender. This scheme is called the reply block The 
encryption and decryption of the reply block uses a pub- 
lic key and a secret toy of the Anonymous remailer so 
that it is difficult to identify the real email address and 
the real domain of the sender tor any users other than 
the sender. 

[0007] The Anonymous remailers also make it difficult 
to transfer the real email address because it is difficult to 
identify the real email address. However, the reply block 
is transferable, so that reply mails can be returned to 
the sender from users other than the recipient. 
[0008] AS- Node and nym.alias.net which are collec- 
tively known as Pseudonymous servers use mail trans- 
mission and reception using a pseudonym account 
uniquely corresponding to the real email address of the 
user. The pseudonym account can be arbitrarily created 
at the user side so that the user can have a pseudonym 
account from which the real email address is hard to 
guess. In addition, by the use of the reply block, it is also 
possible to conceal the real email address and the real 
domain of the user to the Pseudonymous server. By 
combining these means, it can be made difficult to iden- 
tify the real email address and the real domain of the 
sender for any users other than the sender. Also, the 
pseudonym account is cancellable so that there is no 
need to cancel the real email address. 
[0009] The Pseudonymous servers also make it diffi- 
cult to transfer the real email address because it is diffi- 
cult to identify the real email address. However, the 
pseudonym account is transferable so that reply mails 
can be returned to the sender from users other than the 
recipient 

[0010] In addition, in order to protect a recipient from 
the SPAM and the harassment, it is also necessary to 
reject a connection request from a sender who are exer- 
cising such action. For this reason, it is necessary for 
the communication system to be capable of uniquely 
identifying the identity of the sender. 



[001 1] In view of these factors, the communication 
system is required to be capable of uniquely identifying 
the identity of the user white concealing the real email 
address of the user (that is whfle guaranteeing the ano- 
s nymrty of the user), but in the conventional communica- 
tion system, rt has been cSfficult to meet both of these 
requirements simuttaneousiy. 

[0012] lnc»rc^toiden%theiderrtrtyof the user in the 
mail system, the real email address of that user is nec- 

10 essary. On the other hand, the Anonymous remailers 
deliver a mail after either encrypting or deleting the real 
email address of the sender in order to guarantee the 
anonymity of the sender. In order to identify the identity 
of the sender under this condition, it is necessary to 

is trace the delivery route of the mail using the traffic anal- 
ysis. However, the Anonymous remailers may delay the 
mafl delivery or interchange the delivery orders of mails. 
Also. The Mixmaster remailers deliver the mail by divid- 
ing it into plural blocks- For this reason, it is difficult to 

20 trace the delivery route by the traffic analysts, and there- 
fore the ideitrTication of the identity of the send er is also 
difficult 

[Q013] The Pseudonymous servers also utilize the 
Anonymous remailers for the mail delivery, so that it is 
25 possfcle to guarantee the anonymity of the sender but it 
is also difficult to uniquely identify the identity of the 
sender. 

[0014] On the other hand, the German Digrtal Signa- 
ture Law allows entry of a r^seudonyrn instead of a real 

30 name into a digital certificate for generating the digital 
signature to be used in communication services. The 
digital certifica te is uniquely assigned to the user so that 
the identity of the user can be uniquely identified even rf 
the pseudonym is entered. Also, the right for naming the 

as pseudonym ts given to the user ad e so that rt ts possttt e 
to enter the pseudonym from which rt is drfftcult to guess 
the real name. 

SUMMARY OF THE INVENTION 

40 

[001 5] It is therefore an object of the present invention 
to provide an email access control scheme in a commu- 
nication network which is capable of resolving the above 
described problems of the real email address which is 

45 one of the causes of the SPAM and the harassment. 
[001 6] It is another object of the present invention to 
provide an email access control scheme in a communi- 
cation network which is capable of enabling a unique 
identification of the identity of the user while concealing 

so the user identification. 

[0017] In order to resolve the problems associated 
with the transfer and the cancellation of the real email 
address, the present invention employs the email 
access control scheme using a personalized access 

55 ticket (PAT). In order to resolve the problem associated 
with the transfer of the real email address, the destina- 
tion is specified by the PAT which contains both the real 
email address of the sender and a real email address of 



3 



5 



EP 0 946 022 A2 



6 



the recipient Also, in order to resolve the problem asso- 
ciated with the cancellation of the real email address, a 
validity period is set in the PAT by a Trusted Third Party. 
Then, the mail delivery from the sender who presented 
the PAT with the expired validity period will be refused. 
Also, instead of cancelling the real email address, the 
PAT is registered at a secure storage device managed 
by a secure communication service. 
[0018] In other words, the present invention controls 
accesses in units in which the real email address of the 
sender and the real email address of the recipient is 
paired For this reason, even when the real email 
address is transferred, it is possible to avoid receiving 
mails from users to which the real email address has 
been transferred as long as the PAT is not acquired by 
these users. 

[0019] Also, in the present invention, it is possfole to 
refuse receiving mails without cancelling the real email 
address because the mail delivery from the sender who 
presented the PAT with the expired validity period or the 
PAT that is registered in a database by the recipient will 
be refused. 

[00201 Also, in the present invention, the mail receiv- 
ing can be resumed without re-acquiring the real email 
address because the mail receiving can be resumed by 
deleting the PAT from the above described storage 
device 

[0021] Also, in the present invention, the time con- 
sumption and economical loads required for the mail 
receiving or downloading at the user side can be 
reduced because the transmission of mails are refused 
at the server side. 

[0022] fn adoption, the present invention employs the 
email access control scheme using an official identifica- 
tion (010) and an anonymous id en ti fi c ati on (AID) in 
order to make it posstole to identify the identity of the 
user while guaranteeing the anonymity of the user. 
[0023] Namely, in the present invention, a certificate in 
which the personal information is signed by a secret key 
of the Trusted Third Party ts assigned to each user in 
order to uniquely identify each user. This certif icate will 
be referred to as OID. Also, a certificate which contains 
fragments of the OID information is assigned to each 
user as a user identifier on a communication network in 
order to make it possible to identify the identity while 
guaranteeing the anonymity of the user. This certificate 
wiD be referred to as AID. 

[0024] Also, in the present invention, the OID is recon- 
structed by judging the identity of a plurality of AIDs in 
order to identify the identity of the user. Also, the AID is 
contained in the PAT and the PAT is authenticated at a 
secure communication service (SGS) in order to resolve 
the problems associated with the transfer and the can- 
cellation of the AID. 

[0025] Also, in the present invention, the AID is man- 
aged in a directory which is accessible for search by 
unspecified many and which outputs the PAT containing 
the AID as a destination, in order to meet the user side 



demand for being able to admit accesses from unspeci- 
fied many without revealing the own identity. 
[0026] In this way, in the present invention, the identity 
of the user can be concealed in the mail transmission 

s and reception because tfie AID only contains fragments 
of the OID. Also, the identity of the user can be con- 
cealed from unspecified many even when the AID is 
registered at the directory service which is accessible 
from unspecified many. 

70 [0027] Also, in the present invention, the identity of the 
user can be identified probabifisticaliy by reconstructing 
the OID by judging the identity of a plurality of AIDs. For 
this reason, it is possible to provide a measure against 
the SPAM and the harassment without reveaKng the 

75 identity. 

[0028] Also, in the present invention, ri is poss&e to 
admit accesses from unspecified many without reveal- 
ing the identity, by managing the AID rather than the real 
email address at the directory and outputting the PAT 

20 containing the AID as a destination at the Directory. 
[0029] More specrficaQy. according to one aspect of 
the present invention there is provided a method of 
email access control, comprising the steps of: receiving 
a personalized access ticket containing a sender's iderv 

25 trftcation and a recipient's identification in correspond- 
ence, which is presented by a sender who wishes to 
send an email to a recipient so as to speedy the recipi- 
ent as an intended destination of the emafl, at a secure 
communication service for connecting communications 

30 between the sender and the receiver; and controlling 
accesses between the sender and the recipient by veri- 
fying an access ripjrt of the sender with respect to the 
recipient according to the personalized access ticket at 
the secure conwnunicsfion service. 

35 [0030] Also, in this aspect of the present invention, at 
the control 5ng step the secure corrtrnunication service 
authenticates the personalized access ticket presented 
by the sender, and refuses a delivery of the email when 
the personalized access ticket presented by the sender 

40 has been altered. 

[0031 ] Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personal- 
ized access ticket and at the controlling step the secure 

45 communication service authenticates the personalized 
access ticket by verifying a signature of the secure 
processing device in the personalized access ticket 
using a public key of the secure processing device. 
[0032] Also, in this aspect of the present invention, at 

so the receiving step the secure communication service 
also receives the sender's identification presented by 
the sender along with the personalized access ticket 
and at the controlling step the secure communication 
service checks whether the sender's tderrtification pre- 
ss sented by the sender is contained in the personalized 
access ticket presented by the sender, and refuses a 
delivery of the email when the sender's identification 
presented by the sender is not contained in the person- 
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afized access ticket presented by the sender. 
[0033] Also, in this aspect of the present invention, the 
personalized access ticket also contains a validity 
period indicating a period for which the personalized 
access ticket is valid, and at the controlling step the 
secure oomrrurti cation service checks the vafidrty 
period contained in the personafized access ticket pre- 
sented by the sender and refuses a delivery of the email 
when the personalized access ticket presented by the 
sender contains the validity period that has already 
been expired. 

[0034) Also, in this aspect of the present invention, the 
vaBdity period of the personalized access ticket is set by 
a trusted third party. 

[0035] Also, in this aspect of the present invention, the 
method can further comprise the step of: issuing the 
personalized access ticket to the sender at a drectory 
service for managing an identification of each registrant 
and a disclosed information of each registrant which 
has a lower secrecy than a personal information, in a 
state which is accessible for search by unspecified 
marry, in response to search conditions specified by the 
sender, by using an identification of a registrant whose 
disclosed information matches the search conditions as 
the recipient's identification and the sender's identifica- 
tion specified by the sender along with the search con- 
anions. 

[0036] Also, in this aspect of the present invention, the 
method can further comprise the step of: registering in 
advance the personalized access ticket containing an 
identification of a specific user from which a delivery of 
emails to a specific registrant is to be refused as the 
sender's identification and an identification of the spe- 
cif tc registrant as the recipient's identification, at the 
secure communication service; wherein the controlling 
step the secure communication service refuses a deliv- 
ery of the email from the sender when the personalized 
access ticket presented by the sender is registered 
therein in advance at the registering step. 
[0037] Also, in this aspect of the present invention, the 
method can further comprise the step of: deleting the 
personalized access ticket registered at the secure 
communication service upon request from the specific 
registrant who registered the personafized access ticket 
at the registering step. 

[0038] Also, in this aspect of the present invention, the 
personalized access ticket also contains a transfer con- 
trol flag indicating whether or not the sender should be 
authenticated by the secure communication service, 
and at the controlling step, when the transfer control flag 
contained in the personalized access ticket indicates 
that the sender should be authenticated, the secure 
communication service authenticates the sender's iden- 
tification presented by the sender and refuses a delivery 
of the email when an authentication of the sender's 
identification tails. 

[0039] Also, in this aspect of the present invention, the 
authentication of the sender's identification is realized 



by a challenge/response procedure between the sender 
and the secure con^nunication service. 
[0040] Aiso. in this aspect offre present invention, the 
transfer control flag of the personalized access ticket is 

5 set by a trusted third party. 

[0041] Abo, in this aspect of the present inventran. the 
sender's identification and me recipient's identification 
in the personafized access ticket can be given by real 
email addresses of the sender and the recipient. 

to [0042] Also, inthis aspect of the present invention, the 
sender's identification and the recipient's identrfication 
in the personalized access ticket can be gjven by anon- 
ymous identifications of the sender and the recipient, 
where an anonymous identification of each user con* 

75 tains at least one fragment of an official identification of 
each user by which each user is uniquely identifiable by 
a certification authority 

[0043] Also, in this aspect of the present invention, the 
anonymous tdentffication of each user is an information 

20 containing the at teast one fragment of the official iden- 
tification of each user which is signed by the certification 
authority using a secret key of the certrfication axtfwrity. 
[0044] Also, in this aspect of the present invention, the 
official identification of each user is a character string 

25 uniquely assigned to each user by the certification 
authority and a public key of each user which are signed 
by a secret key of the certification authority. 
[0045] Also, in this aspect of the present invention, the 
method can further comprise the step of: probab&sti- 

so catryicfentifying an identity c4 the sender by recc«struct- 
ing the official identrfication of the sender by judging 
identity cf a p4ira% cfaricfiymou^ 
sender contained in a plurality of personafized access 
tickets used by the sender. 

as (0046] Aiso, in this aspect ofthe present invention, an 
anonymous identification of each user that contains at 
teast one fragment of an official identification of each 
user by which each user is uniquely identifiable by a cer- 
tification authority and a link information of each anony- 

40 mous identification by which each anonymous 
identification can be uniquely identified can be defined, 
and the sender's identification and the recipient's identi- 
fication in the personalized access ticket can be given 
by a link information of the anonymous identification of 

45 the sender and a link information of the anonymous 
identification of the recipient 

[0047] Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous identif i- 

50 cation by the certification authority 

[0048] Also, in this aspect of the present invention, the 
method can further comprise the step of: probabilisti- 
cally identifying an identity of the sender by reconstruct- 
ing the official identification of the sender by judging 

55 identity of a plurality of anonymous identifications of the 
sender corresponding to the link information contained 
in a plurality of personafized access tickets used by the 
sender. 
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[0049] Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
identification and a single recipient's identification in 1- 
to-1 correspondence. 

[0050] Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
identification and a plurality of recipient's identifications 
in 1-to-N correspondence, where N is an integer greater 
than 1. 

[0051] Also, in this aspect of the present invention, 
one identification among the single sender's identifica- 
tion and the plurality of recipient's identifications is a 
holder identification for identifying a holder of the per- 
sonalized access ticket whBe other identifications 
among the single sender's identification and the plural- 
ity of recipient's identifications are member identifica- 
tions for identifying members of a group to which the 
holder belongs. 

[0052] Also, in this aspect of the present invention, the 
method can further comprise the step of: issuing an 
identification of each user and an enabler of the identifi- 
cation of each user indicating a right to change the per- 
sonalized access ticket containing the identification of 
each user as the holder identification, to each user at a 
certification authority, such that prescribed processing 
on the personalized access ticket can be carried out at 
a secure processing device only by a user who pre- 
sented both the holder identification contained in the 
personalized access ticket and the enabler correspond- 
ing to the holder identification to the secure processing 
device. 

[0053] Also, in this aspect of the present invention, the 
certification authority issues the enabler of the identifi- 
cation of each user as an information indicating that it is 
the enabler and the identification of each user itself 
which are signed by a secret key of the certification 
authority. 

[0054] Also, in this aspect of the present invention, the 
prescribed processing includes a generation of a new 
personalized access ticket a merging of a plurality of 
personalized access tickets, a splitting of one personal- 
ized access ticket into a plurality of personalized access 
tickets, a changing of the holder of the personalized 
access ticket changing of a validity period of the per- 
sonalized access ticket, and a changing of a transfer 
control flag of the personalized access ticket 
[0055] Also, in this aspect of the present invention, a 
special identification and a special enabler correspond- 
ing to the special identification which are known to all 
users can be defined such that the generation of a new 
personalized access ticket and the changing of the 
holder of the personalized access ticket can be carried 
out by the holder of the person afized access ticket by 
using the special identification and the special enabler 
without using an enabler of a member identification. 
[0056] Also, in this aspect of the present invention, the 
special identification is defined to be capable of being 
used only as the holder identification of the personal- 



ized access ticket 

[0057] Also, in this aspect of the present invention, a 
special identification which is known to all users can be 
defined such that a read only attrfoute can be set to the 
s personalized access ticket by using the special identifi- 
cation. 

[0058] Also, in this aspect of the present invention, at 
the controlling step, when the access right of the sender 
with respect to the recipient is verified according to the 

ic personalized access ticket, the secure communication 
service takes out the recipient's identification from the 
personalized access ticket by using the sender's identi- 
fication presented by the sender, converts the mail by 
using a token out recipient's identification into a format 

15 that can be interpreted by a mail transfer function for 
actually carrying out a mail delivery processing, and 
gives the mail after conversion to the mail transfer func- 
tion by attaching the personalized access ticket. 
[0059] According to another aspect of the present 

20 invention there is provided a method of email access 
control, comprising the steps of: defining an official 
identification of each user by which each user is 
uniquely identifiable by a certification authority, and an 
anonymous identification of each user containing at 

25 least one fragment of the official identification; and iden- 
tifying each user by the anonymous identification of 
each user in communicatiorts for emails on a communi- 
cation network. 

[0060] Also, in this aspect of the present invention, the 

30 anonymous identification of each user is an information 
containing the at least one fragment of the official iden- 
tification of each user which is signed by the certif ication 
authority using a secret key of the certrfication authority. 
[0061] Also, in this aspect of the present intention, the 

35 official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority and a public key of each user which are signed 
by a secret key of the certification authority. 
[0062] Also, in this aspect of the present invention, the 

40 method can further compiise the steps of: receiving a 
personalized access ticket containing a sender's anony- 
mous identification and a recipient's anonymous identi- 
fication in correspondence, which is presented by a 
sender who wishes to send an email to a recipient so as 

45 to specify the recipient as an intended destination of the 
email, at a secure communication service for connect- 
ing corrtrnuntcations between the sender and the 
receiver; and controlling accesses between the sender 
and the recipient by verifying an access right of the 

so sender with respect to the recipient according to the 
personaBzed access ticket at the secure communication 
service. 

[0063] Also, in this aspect of the present invention, the 
method can further comprises the step of: probabilistic 
55 cally identifying an identity of the sender at the secure 
communication service by reconstructing the official 
identification of the sender while judging identity of a 
plurality of anonymous identifications of the sender con- 
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tained in a plurality of personalized access tickets used 
by the sender. 

[0064] Also, in this aspect of the present invention, the 
defining step can also define a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified, and each anon- 
ymous identification can aiso contain the link informa- 
tion of each anonymous identification. 
[0065] Also, in this aspect of the present invention, the 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous identifi- 
cation by the certffication authority. 
[0066] Also, in this aspect of the present invention, the 
method can further comprises the steps oh receiving a 
personalized access ticket containing a link informa ti on 
of a senders anonymous identification and a link infor- 
mation of a recipients anonymous identification in cor- 
respondence, which is presented by a sender who 
wishes to send an email to a recipient so as to specify 
the recipient as an intended destination of the email, at 
a secure communication service tor connecting commu- 
nications between the sender and the receiver; and 
controOing accesses between the sender and the recip- 
ient by verifying an access right of the sender with 
respect to the recipient according to the personalized 
access ticket at the secure communication service. 
[0067] Also, in this aspect of the present invention, the 
method can further comprises the step of: probabilisti- 
cally identifying an identity of the sender by reconstruct- 
ing the official identification of the sender while judging 
identity of a plurality of anonymous tierrtrfications of the 
sender corresponding to the link information contained 
in a plurality of personalized access tickets used by the 
sender. 

[0068] According to another aspect of the present 
invention there is provided a communication system 
realizing email access control, comprising: a communi- 
cation network to which a plurality of user terminals are 
connected; and a secure communication service device 
for connecting communications between the sender and 
the receiver on the communication network, by receiv- 
ing a personalized access ticket containing a sender s 
identification and a recipients identification in corre- 
spondence, which is presented by a sender who wishes 
to send an email to a recipient so as to specify the recip- 
ient as an intended destination of the email, and control- 
ling accesses between the sender and the recipient by 
verifying an access right of the sender with respect to 
the recipient according to the personalized access 
ticket 

[0069] Also, in this aspect of the present invention, the 
secure communication service device authenticates the 
personalized access ticket presented by the sender, 
and refuses a delivery of the email when the personal- 
ized access ticket presented by the sender has been 
altered. 

[0070] Also, in this aspect of the present invention, the 
system further comprises: a secure processing device 



for issuing the personalized access ticket which is 
signed by a secret key of the secure processing device; 
wherein the secure communication service device 
authenticates the personalized access ticket by verify- 
5 ing a signature of the secure processing device in the 
personalized access ticket using a public key of the 
secure processing device 

[0071] Also in this aspect of the present invention, the 
secure communication service device also receives the 

10 sender's identification presented by the sender along 
with the personalized access ticket checks whether the 
sender's identification presented by the sender is con- 
tained in the personalized access ticket presented by 
the sender, and refuses a delivery of the email when the 

is sender's identification presented by the sender is not 
contained in tie personalized access ticket presented 
by the sender. 

[0072] Also, in this aspect of the present invention, the 
personalized access ticket also contains a vafidity 
20 period indicating a period for which the personalized 
access ticket is vaSd. and the secure corrvnurucation 
service device checks tie validity period contained in 
the personalized access ticket presented by the sender 
and refuses a defivery of the emai when the personal- 
25 tzed access ticket presented by the sender contains the 
validity period that has already been expired. 
[0073] Also, frithis aspect of the present invention, the 
system further comprises: a trusted third party for set- 
ting the valfdty period of the personalized access ticket. 
30 [0074] Ateamthis aspect of me present invention, the 
system can further comprise: a directory service de/ice 
tor managing an identification of each registrant and 
and a disclosed info r matio n of each registrant which 
has a lower secrecy than a personal information, in a 
35 state which is accessfote for search by unspecified 
many, and issuing the personalized access ticket to the 
sender in response to search conditions specified by 
the sender, by using an identification of a registrant 
whose disclosed information matches the search condi- 
40 tions as the recipient's identification and the sender's 
identification specified by the sender along with the 
search conditions. 

[0075] Also, in this aspect of the present invention, the 
secure communication service device can register in 

45 advance the personalized access ticket containing an 
identification of a specific user from which a delivery of 
emails to a specific registrant is to be refused as the 
sender's identification and an identification of the spe- 
cific registrant as the recipient's identification, and 

so refuse a delivery of the email from the sender when the 
personalized access ticket presented by the sender is 
registered therein in advance. 

[0076] Also, in this aspect of the present invention, the 
secure communication service device can delete the 
£5 personalized access ticket registered therein upon 
request from the specific registrant who registered the 
personalized access ticket 

[0077] Also, in this aspect of the present invention, the 
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personalized access ticket also contains a transfer con- 
trol flag indicating whether or not the sender should be 
authenticated by the secure communication service, 
and when the transfer control flag contained in the per- 
sonalized access ticket indicates that the sender should 5 
be authenticated, the secure communication service 
device authenticates the sender's identification pre- 
sented by the sender and refuses a delivery of the email 
when an authentication of the sender's identification 
tails. 

[0078] Also, in this aspect of the present invention, the 
authentication of the sender's identification is realized 
by a challenge/response procedure between the sender 
and the secure communication service device. 
[0079] Also, in the aspect of the present invention, the 
system further comprises a trusted third party for setting 
the transfer control flag of the personalized access 
ticket 

[0080] Also, in this aspect of the present invention, the 
sender's identification and the recipients identification 
in the personalized access ticket can be given by real 
email addresses of the sender and the recipient. 
[0081 ] Also, in this aspect of the present invention, the 
system can further comprise: a certification authority 
device for issuing an anonymous identification of each 
user which contains at least one fragment of an official 
identification of each user by which each user is 
uniquely identifiable by the certification authority device; 
wherein the sender's identification and the recpierrrs 
identification in the personalized access ticket can be 
given by anonymous identifications of the sender and 
the recipient 

[0082] Also, in this aspect of the present invention, the 
anonymous identification of each user is an information 
containing the at least one fragment of the official iden- 
tification of each user which is signed by the certification 
authority device using a secret key of the certification 
authority device. 

[0083] Also, in this aspect of the present invention, the 
official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority device and a public key of each user which are 
signed by a secret key of the certification authority 
device. 

[0084] Also, in this aspect of the present invention, the 
secure communication service device can probabilisti- 
cally identify an identity of the sender by reconstructing 
the official iderrtrfication of the sender while judging 
identity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized access 
tickets used by the sender. 

[0085] Abo, in this aspect of the present invention, the 
system can further comprise: a certification authority 
device for issuing an anonymous identification of each 
user which contains at least one fragment of an official 
identification of each user by which each user is 
uniquely identifiable by the certification authority device 
and a link information of each anonymous identification 



by which each anonymous identification can be 
uniquely identified; wherein the sender's identification 
and the recipient's identification in the personalized 
access ticket can be given by a link information of the 
anonymous identification of the sender and a link infor- 
mation of the anonymous identification of the recipient 
[0086] Also, in this aspect of the present invention, tfie 
link information of each anonymous identification is an 
identifier uniquely assigned to each anonymous identifi- 
cation by the certification authority device. 
[0087] Also, in this aspect of the present invention, the 
secure communication service device can probabilisti- 
cally identify an identity of the sender by reconstructing 
the official identification of the sender while fudging 
identity of a pfurafity of anonymous identifications of the 
sender corresponding to the link information contained 
in a plurality of personalized access tickets used by the 
sender. 

[0088] Also, in this aspect of the present invention, the 
personalized access ticket can contain a single sender's 
identification and a single recipients identification in 1- 
to-1 correspondence. 

[0089] AJso,in this aspect of the presem inverrtfon. the 
personalized access ticket can contain a single sender's 
identification and a plurality of recipient s identifications 
in i -to-N correspondence, where N is an integer greater 
thanl. 

[0090] Also, in this aspect of the present invention, 
one identification among the single sender's identifica- 
tion and the plurality of recipient's identifications is a 
holder identification for identifying a holder of the per- 
sonalized access ticket while other identifications 
among the single sender's identification and the plural- 
ity of recipients id e ntif i ca ti ons are member identifica- 
tions for identifying members of a group to which the 
holder belongs. 

[0091] Also, in this aspect of the present invention, the 
system can further comprises: a certification authority 
device for issuing to each user an identification of each 
user and an enabler of the identif ication of each user 
indicating a right to change the personalized access 
ticket containing the identification of each user as the 
holder identffication; and a secure processing device at 
which preserved processing on the personalized 
access ticket can be carried out only by a user who pre- 
sented both the holder identification contained in the 
personalized access ticket and the enabler correspond- 
ing to the holder identification to the secure processing 
device, 

[0092] Also, in this aspect of the present invention, the 
certification authority device issues the enabler of the 
identification of each user as an information indicating 
that it is the enabler and the identification of each user 
itself which are signed by a secret key of the certification 
authority device. 

[0093] Also, in this aspect of the present invention, the 
prescribed processing includes a generation of a new 
personalized access ticket, a merging of a plurality of 
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personalized access tickets, a splitting of one personal* 
ized access ticket into a plurality of personalized access 
tickets, a changing of the holder of the personalized 
access ticket, changing of a vaikfity period of the per- 
sonalized access ticket, and a changing of a transfer 
control flag of the personafized access ticket 
[0094] Also, in this aspect of the present invention, a 
special identification and a special enabler correspond- 
ing to the special (Certification which are known to all 
users can be defined such that the generation of a new 
personalized access ticket and the changing of the 
holder of the personalized access ticket can be carried 
out by the holder of the personalized access ticket by 
using the special identification and the special enabler 
without using an enabler of a member identification. 
[0095] Ateo, in this aspect of the present invention, the 
special identification is defined to be capable of being 
used only as the holder identification of the personal- 
ized access ticket 

[0096] Also, in this aspect of the present invention, a 
special identification which is known to all users can be 
defined such that a read only attribute can be set to the 
personalized access ticket by using the special identifi- 
cation. 

[04197] Also, in this aspect of the present invention, 
when the access right of the sender with respect to the 
recipient is verified according to the personalized 
access ticket, the secure correnunication service device 
takes out the recipients identification from the personal- 
ized access ticket by using the sender's identification 
presented by the sender, converts the mai by using a 
taken out recipient's identification into a format that can 
be interpreted by a mail transfer function for actually 
carrying out a mail delivery processing, and gives the 
mail after conversion to the mail transfer function by 
attaching the personalized access ticket 
[0098] According to another aspect of the present 
invention there is provided a communication system 
realizing email access control, comprising: a certifica- 
tion authority device for defining an official identification 
of each user by which each user is uniquely identifiable 
by the certification authority device, and an anonymous 
identification of each user which contains at least one 
fragment of the official identification; and a communica- 
tion network on which each user is identified by the 
anonymous identification of each user in communica- 
tions for emails on the communication network 
[0099] Also, in this aspect of the present invention, the 
anonymous identification of each user is an information 
containing the at least one fragment of the official iden- 
tification of each user which is signed by the certification 
authority device using a secret key of the certification 
authority device. 

[01 00] Also, in this aspect of the present invention, the 
official identification of each user is a character string 
uniquely assigned to each user by the certification 
authority device and a public key of each user which are 
signed by a secret key of the certification authority 



device. 

[0101] Also, in this aspect of the present invention, the 
system can further comprises: a secure communication 
service device for connecting comrnunications between 

5 the sender and the receiver on the communication net- 
work, by receiving a personalized access ticket contain- 
ing a sender's anonymous iden tifi c ati on and a 
recpienfs anonymous identfflcation in correspondence, 
which is presented by a sender who wishes to send an 

io email to a recipient so as to specify the recipient as an 
intended destination of the email, and controlling 
accesses between the sender and the recipient by veri- 
fying an access right of the sender with respect to the 
recipient according to the personafized access ticket 

is [0102] Ateo, in this aspect of the present invention, the 
secure communication service device can probabilisti- 
cally identify an identity of the sender by reconstructing 
the official identification of the sender while judging 
identity of a plurafity of anonymous io^ntihcations of the 

20 sender contained in a plurafity of personafized access 
tickets used by the sender. 

[0103] Also, in this aspect of the present riverrbon. the 
certification authority device can also define a fink infor- 
mation of each arxxrymous identification by which each 

25 anonymous identification can be uniquely identified, 
and each anonymous identification can also contain the 
fink information of each anonymous identification 
[0104] Also, m thss aspect of tire present irrvention, the 
fink information of each anonymous identif ication is an 

30 identifier uniquely assigned to each anonymous identfi- 
cation by the certification authority device. 
[0105] Ateo, in this aspect of the present irwention, the 
system can further comprise: a secure comrrtunication 
service device for connecting communications between 

35 tie sender and the receiver on the corrvmmication net- 
work by receiving a personalized access ticket contain- 
Big a link information of a sender's anonymous 
identification and a link information of a recipient's 
anonymous identification in correspondence, which is 

40 presented by a sender who wishes to send an email to 
a recipient so as to specify the recipient as an intended 
destination of the email, and controlling accesses 
between the sender and the recipient by verifying an 
access right of the sender with respect to the recipient 

45 according to the personalized access ticket 

[0106] Also, in this aspect of the present invention, the 
secure communication service device can probabilisti- 
cally identify an identity of the sender by reconstructing 
the official identification of the sender while judging 

so identity of a plurality of link informations of anonymous 
identifications of the sender contained in a plurality of 
personalized access tickets used by the sender. 
[0107] According to another aspect of the present 
invention there is provided a secure communication 

55 service device tor use in a communication system real- 
izing emafl access control, comprising: a computer 
hardware; and a computer software tor causing the 
computer hardware to connect communications 
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between the sender and the receiver, by receiving a per- 
sonalized access ticket containing a sender's identifica- 
tion and a recipient's identification in correspondence, 
which is presented by a sender who wishes to send an 
email to a recipient so as to specify the recipient as an 5 
intended destination of the email, and controlling 
accesses between the sender and the recipient by veri- 
fying an access right of the sender with respect to the 
recipient according to the personalized access ticket 
[01 08] Also, in this aspect of the present invention, the 10 
computer software causes the computer hardware to 
authenticate the personalized access ticket presented 
by the sender, and refuse a delivery of the email when 
the personalized access ticket presented by the sender 
has been altered. is 
[01 09] Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personal- 
ized access ticket, and the computer software causes 
the computer hardware to authenticate the personalized 20 
access ticket by verifying a signature of the secure 
processing device in the personalized access ticket 
using a public key of the secure processing device, 
[0110] Also, in this aspect of the presem invention, the 
computer software causes the computer hardware to 25 
also receive the sender's identification presented by the 
sender along with the personalized access ticket, check 
whether the sender's identification presented by the 
sender is contained in the personalized access ticket 
presented by the sender, and refuse a delivery of the 30 
email when the sender's identif ication presented by the 
sender is not contained in the personalized access 
ticket presented by the sender. 
[0111] Also, in this aspect of the present invention, the 
personalized access ticket also contains a validity 35 
period indicating a period tor which the personalized 
access ticket is valid, and the computer software causes 
the computer hardware to check the validity period con- 
tained in the personalized access ticket presented by 
the sender and refuse a delivery of the email when the 40 
personalized access ticket presented by the sender 
contains the validity period that has already been 
expired. 

[0112] Also, in this aspect of the present invention, the 
computer software can cause the computer hardware to 45 
register in advance the personalized access ticket con- 
taining an identification of a specific user from which a 
delivery of emails to a specific registrant is to be refused 
as the sender's identification and an identification of the 
specific registrant as the recipient's identification, at the $0 
secure communication service device, and refuse a 
delivery of the email from the sender when the person- 
alized access ticket presented by the sender is regis- 
tered at the secure communication service device in 
advance. ss 
[01 1 3] Also, in this aspect of the present invention, the 
computer software can cause the computer hardware to 
delete the personalized access ticket registered at the 



secure communication service device upon request 
from the specflic registrant who registered the personal- 
ized access t icket 

[01 1 4] Also, in this aspect of the present invention, the 
personalized access ticket also contains a transfer con* 
trd flag indicating whether or not the sender should be 
authenticated by the secure communication service 
device, and when the transfer control flag contained in 
the personalized access ticket indicates that the sender 
should be authenticated, the computer software causes 
the computer hardware to authenticate the sender's 
identification presented by the sender and refuse a 
delivery of the email when an authentication of the 
sender's identification fails. 

[0115] Also, in this aspect of the present invention, the 
computer software causes the computer hardware to 
realize the authentication of the sender's identif ication 
by a challenge/response procedure between the sender 
and the secure communication service device. - 
[0116] Atea in this aspect of the present invention, the 
sender's identification and toe recipients identification 
in the personalized access ticket can be given by anon- 
ymous identifications of the sender and the recipient 
where an anonymous identification of each user con- 
tains at least one fragment of an official identification of 
each user by which each user is uniquely identifiable by 
a certification authority, and the computer software can 
also cause the computer hardware to probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity of 
a plurality of anonymous identifications of the sender 
contained in a plurality of personalized access tickets 
used by the sender. 

[0117] Also, in this aspect of the present invention, an 
anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a cer- 
tification authority and a fink information of each anony- 
mous identification by which each anonymous 
identification can be uniquely identified can be defined, 
the sender's identification and the recipient's identifica- 
tion in the rjersonafized access ticket can be given by a 
folk information of the anonymous identification of the 
sender and a link information of the anonymous identifi- 
cation of the recipient and the computer software can 
also cause the computer hardware to probabSsticaliy 
identify an identity of the sender by reconstructing the 
official iderttffication of the sender by judging identity of 
a plurality of anonymous identifications of the sender 
corresponding to the link information contained in a plu- 
rality of personalized access tickets used by the sender. 
[0118] Also, in this aspect of the present invention, 
when the access right of the sender with respect to the 
recfcient is verified according to the personalized 
access ticket, the computer software causes the com- 
puter hardware to take out the recipient's identification 
from the personalized access ticket by using the 
sender's identification presented by the sender, convert 
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the mail by using a taken out recipient's identification 
into a format that can be interpreted by a mail transfer 
function for actually carrying out a maD delivery 
processing, and give the mail after conversion to the 
mail transfer function by attaching the personalized 5 
access ticket. 

[0119] According to another aspect of the present 
invention there is provided a secure processing device 
for use in a communication system realizing email 
access control, comprising: a computer hardware; and 
a computer software for causing the computer hardware 
to receive a request for a personalized access ticket 
from a user, and issue a personalized access ticket con- 
taining a sender's identification and a recipient's identi- 
fication in correspondence, which is signed by a secret 
key of the secure processing device. 
[0120] According to another aspect of the present 
invention there is provided a directory service device for 
use in a communication system realizing email access 
control, comprising: a computer hardware; and a com- 
puter software for causing the computer hardware to 
manage an identification of each registrant and a dis- 
closed information of each registrant which has a lower 
secrecy than a personal information, in a state which is 
accessible tor search by unspecified many and issue a 
personalized access ticket containing a sender's identi- 
fication and a recipient's identification in correspond- 
ence* to the sender in response to search conditions 
specified by the sender, by using an identification of a 
registrant whose disclosed information matches the 
search conditions as the recipient's identification and 
the sender's identification specified by the sender along 
with the search conditions. 

[0121] According to another aspect of the present 
invention there is provided a certification authority 
device for use in a communication system realizing 
email access control, comprising: a computer hardware; 
and a computer software for causing the computer 
hardware to issue to each user an official identification 
of each user by which each user is uniquely identifiable 
by the certification authority device, and an anonymous 
identification of each user which contains at least one 
fragment of the official identification. 
[0122] According to another aspect of the present 
invention there is provided a certification authority 
device for use in a cornmunication system realizing 
email access control, comprising: a computer hardware; 
and a computer software for causing the computer 
hardware to issue to each user an identification of each 
user and an enabler of the identification of each user 
indicating a right to change any personalized access 
ticket that contains the identification of each user as a 
holder identification, where the persnalized access 
ticket generally contains a sender's identification and a 
plurality of recipient's identifications in correspondence, 
and one of the sender's identification and the recipient s 
identifications is a holder identification. 
[0123] According to another aspect of the present 



invention there is provided a secure processing device 
lor use in a communication system realizing email 
access control, comprising: a computer hardware; and 
a computer software for causmg the computer hardware 
to receive from a user a request for prescribed process- 
ing on a personalized access ticket containing a 
sender's Verification and a plurality of recipients iden- 
tifications in correspondence, where one of the sender's 
identification and the recpientfs tientifications is a 
holder identification, and execute the prescribed 
processing on the personalized access ticket when the 
user presented both the holder identification contained 
in the personalized access ticket and an enabler corre- 
sponding to the holder identification which indicates a 
right to change the personalized access ticket contain- 
ing the identification of the user as the holder identifica- 
tion. 

[0124] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a secure communication service device for use in a 
commurticatton system realizing email access control, 
the computer readable program code means includes: 
first computer readable program code means for caus- 
ing said computer to receive a personafized access 
ticket containing a sender's identification and a recipi- 
ent's identification in correspondence, which is pre- 
sented by a sender who wishes to send an email to a 
recipient so as to specify the recipient as an intended 
destination of the email; and second computer readable 
program code means for causmg said computer to con- 
trol accesses between the sender and the recipient by 
verifying an access right of the sender with respect to 
the recipient according to the personalized access 
ticket, so as to connect communications between the 
sender and the receiver on the communication network. 
[0125] Also, in this aspect of the present invention, the 
second computer readable program code means 
causes said computer to authenticate the personafized 
access ticket presented by the sender, and refuse a 
delivery of the email when the personalized access 
ticket presented by the sender has been altered. 
[0126] Also, in this aspect of the present invention, the 
personalized access ticket is signed by a secret key of a 
secure processing device which issued the personal- 
ized access ticket and the second computer readable 
program code means causes said computer to authen- 
ticate the personafized access ticket by verifying a sig- 
nature of the secure processing device in the 
personalized access ticket using a public key of the 
secure processing device. 

[01 27] Also, in this aspect of the present invention, the 
first computer readable program code means causes 
said computer to also receive the sender's identification 
presented by the sender along with the personafized 
access ticket, and the second computer readable pro- 
gram code means causes said computer to check 
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whether the sender's ktenffiication presented by the 
sender is contained in the personalized access ticket 
presented by the sender and refuse a delivery of the 
email when the senders identification presented by the 
sender is not contained in the personalized access 5 
ticket presented by the sender. 
[01 28] Also, in this aspect of the present invention, the 
personalized access ticket also contains a vafidity 
period indicating a period for which the personalized 
access ticket is valid, and the second computer reada- 10 
ble program code means causes said computer to 
check the validity period contained in the personalized 
access ticket presented by the sender and refuse a 
delivery of the email when the personalized access 
ticket presented by the sender contains the validity 75 
period that has already been expired. 
[0129] Also, in this aspect of the present invention, the 
second computer readable program code means can 
cause said computer to register in advance the person- 
alized access ticket containing an identification of a spe- 20 
ctfic user from which a defivery of emails to a specific 
registrant is to be refused as the sender's identification 
and an identification of the specific registrant as the 
recipient's identification, at the secure communication 
service device, and refuse a delivery of the email from 2s 
the sender when the personalized access ticket pre- 
sented by the sender is registered at the secure com- 
munication service device in advance. 
[0130] Atea in this aspect of the present invention, the 
second computer readable program code means can 30 
cause said computer to delete the personalized access 
ticket registered at the secure cornmunication service 
device upon request from the specific registrant who 
registered the personalized access ticket. 
[0131 ] Also, in this aspect of the present invention, the 35 
personalized access ticket also contains a transfer con- 
trot flag indicating whether or not the sender should be 
authenticated by the secure communication service 
device, and when the transfer control flag contained in 
the personalized access ticket indicates that the sender 40 
should be authenticated, the second computer readable 
program code means causes said computer to authen- 
ticate the sender's identification presented by the 
sender and refuse a defivery of the email when an 
authentication of the sender's identification fails. <ts 
[01 32] Also, in this aspect of the present invention, the 
second computer readable program code means 
causes said computer to realize the authentication of 
the sender's identffication by a challengeAesponse pro- 
cedure between the sender and the secure communica- so 
tbn service device. 

[0133] Also, in the aspect of the present invention, the 
senders identification and the recipient's identification 
in the personalized access ticket can be given by anon- 
ymous identifications of the sender and the recipient 55 
where an anonymous identification of each user con- 
tains at least one fragment of an official identification of 
each user by which each user is uniquely identifiable by 



a certification authority, and the second computer read- 
able program code means can also cause said compu- 
ter to probabilistically identify an identity of the sender 
by reconstructing the official identification of the sender 
by judging identity of a plurality of artonyrnous identifica- 
tions of the sender contained in a plurality of personal- 
ized access tickets used by the sender. 
[0134] Also, in this aspect of the present invention, an 
anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by which each user is uniquely identifiable by a cer- 
tification authority and a link information of each anony- 
mous identification by which each anonymous 
identification can be uniquely identified can be defined, 
the sender's identification and the recipients identifica- 
tion in the personalized access ticket can be given by a 
Bnk information of the anonymous identification of the 
sender and a link information of the anonymous identifi- 
cation of the recipient, and the second computer reada- 
ble program code means can also cause said computer 
to probabilistically identify an identity of the sender by 
reconstructing the official identification of the sender by 
judging identity of a plurality of anonymous identifica- 
tions of the sender corresponding to the Bnk information 
contained in a plurality of personafized access tickets 
used by the sender. 

[0135] Also, in this aspect of the present invention, 
when the access right of the sender with respect to the 
recipient is verified according to the personalized 
access ticket, the second computer readable program 
code means causes said computer to take oat the recip- 
ient's identification from the personalized access ticket 
by using the sender's identification presented by the 
sender, convert the mail by using a taken out recipients 
identification into a formal that can be interpreted by a 
mail transfer function for actually carrying out a mail 
delivery processing, and give the mail after conversion 
to the mafl transfer function by attaching the personal- 
ized access ticket 

[0136] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a secure processing device for use in a communication 
system realizing email access control, the computer 
readable program code means includes: first computer 
readable program code means for causing said compu- 
ter to receive a request for a personalized access ticket 
from a user; and second computer readable program 
code means for causing said computer to issue the per- 
sonalized access ticket containing a sender's identifica- 
tion and a recipients identification in conespondence, 
which is signed by a secret key of the secure processing 
device. 

[0137] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
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a directory service devicer for use in a communication 
system realizing email access control, the computer 
readable program code means includes: first computer 
readable program code means for causing said compu- 
ter to manage an identification of each registrant and a 
disclosed information of each registrant which has a 
lower secrecy than a persona) information, in a state 
which is accessible for search by unspecified many, and 
second computer readable program code means for 
causing said computer to issue a personalized access 
ticket containing a sender's identification and a recipi- 
ents identification in correspondence, to the sender in 
response to search conditions specified by the sender, 
by using an identification of a registrant whose dis- 
closed information matches the search conditions as 
the recipient's identification and the sender's identifica- 
tion specified by the sender along with the search con- 
ditions. 

[0138] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a certification authority device for use in a communica- 
tion system realizing email access control, the computer 
readable program code means includes: first computer 
readable pr ogram code means for causing said compu- 
ter to issue to each user an official identification of each 
user by which each user is uniquely identifiable by the 
certification authority device; and second computer 
readable program code means for causing said compu- 
ter to issue to each user an anonymous identification of 
each user which contains at least one fragment of the 
ofticsaj oentrrtcation. 

[0139] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a certification authority device for use in a communica- 
tion system realizing email access control, the computer 
readable program code means includes: first computer 
readable program code means for causing said compu- 
ter to issue to each user an identification of each user; 
and second computer readable program code means 
for causing said computer to issue to each user an e na- 
tter of the identification of each user indicating a right to 
change any personalized access ticket that contains the 
identification of each user as a holder identification, 
where the persnalized access ticket generally contains 
a sender's identification and a plurality of recipients 
identifications in correspondence, and one of the 
sender's identification and the recipient's identifications 
is a holder identification. 

10140] According to another aspect of the present 
invention there is provided a computer usable medium 
having computer readable program code means 
embodied therein for causing a computer to function as 
a secure processing device for use in a communication 
system realizing email access control, the computer 



readable program code means includes: first computer 
readable program code means for causing said compu- 
ter to receive from a user a request for prescribed 
processing on a personafized access ticket containing a 
s sender's identification and a plurality of recipient's iden- 
tifications in cOTespcndence. where one of the sender's 
iderrtification and the recipients identifications is a 
holder identification; and second computer readable 
program code means for causing said computer to exe- 
10 cute the prescribed processing on the personafized 
access ticket when the user presented both the holder 
iderrtification contained in the personalized access 
ticket and an enabier corresponding to the hotter iden- 
tification which indicates a right to change the personal- 
is ized access ticket containing the identification of the 
user as the holder identif ication. 
[01 41 ] Other features and advantages of the present 
invention will become apparent from the following 
description taken tn conjunction with the accompanying 
20 drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0142] 

25 

Fig. 1 is a diagram showing an overall configuration 
of a communication system according to the first 
embodiment of the present invention. 
Fig. 2 is a diagram showing exemplary data struc- 
30 tures of an official identification, an anonymous 
identification, and a 1-to-1 personalized access 
ticket accorcSng to the first entxxfcnent of the 
present invention. 

fig. 3 is a flow chart for an anonymous identification 
35 generation processing at a certfficatfon authority 
according to the first embodiment of the present 
invention. 

Fig. 4 is a flow chart for a personalized access ticket 
generation processing at an anonymous directory 
ag service according to the first embodiment of the 
present invention. 

Fig. 5 is a ftow chart for a mail access control 
processing at a secure cornmunication service 
according to the first embodiment of the present 

as invention. 

Fig. 6 is a flow chart for an anonymous identification 
identity judgement processing at a secure commu- 
nication service according to the first ernbocOment 
of the present invention. 

so Fig. 7 is a diagram showing exemplary data struc- 
tures of data used in the anonymous identification 
identity judgement processing of Fig. 6. 
fig. 8 is a diagram showing exemplary data struc- 
tures of an official identification, an anonymous 

55 identification, and a 1-to-N personalized access 
ticket according to the second embodiment of the 
present inventioa 

Fig. 9 is a diagram showing exemplary data struc- 
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tares of an anonymous identification and an ena- 
ble* according lo the second embodiment of the 
present invention. 

Fig. 10 is a diagram snowing a definition of a 

processing rule (MakePAT) used in the second 5 

embodiment of the present invention. 

Fig. 11 is a diagram showing a definition of a 

processing rule (MergePAT) used in the second 

embodiment of the present invention. 

Fig. 12 is a diagram snowing a definition of a 10 

processing rule (SpIrtPAT) used in the second 

embodiment of the present invention. 

Fig. 13 is a diagram showing a definition of a 

processing rule (TransPAT) used in the second 

embodiment of the present invention. is 

Fig. 14 is a first exemplary system configuration 

that can be used in the second embodiment of the 

present invention. 

Fig. 15 is a second exemplary system configuration 
that can be used in the second embodiment of the 20 
present invention. 

Fig. 16 is a third exemplary system configuration 
that can be used in the second embodiment of the 
present invention. 

Fig. 17 is a fourth exemplary system configuration 25 
that can be used in the second embodiment of the 
present invention. 

Fig. 18 is a fifth exemplary system configuration 
that can be used in the second embodiment of the 
present invention. 30 
Fig. 19 is a sixth exemplary system configuration 
that can be used in the second embodiment of the 
present invention. 

Fig. 20 is a seventh exemplary system configura- 
tion that can be used in the second embodiment of ss 
the present invention. 

Fig. 21 is a flow chart showing an overall process- 
ing flow of MakePAT, MergePAT or TransPAT 
processing according to the second embodiment of 
the present invention. 40 
Fig. 22 is a flow chart showing an overall process- 
ing flow of SpIrtPAT processing according to the 
second embodiment of the present invention. 
Fig. 23 is a flow chart for an anonymous identifica- 
tion list generation processing (for MakePAT, 45 
MergePAT, SpIrtPAT and TransPAT) according to the 
second embodiment of the present invention. 
Fig. 24 is an enabler authenticity verification 
processing (for MakePAT, MergePAT, SplitPAT and 
TransPAT) according to the second embodiment of so 
the present invention. 

Ftg. 25 is a diagram showing an exemplary data 
structure of NuN-AID used in the third embodiment 
of the present invention. 

Fig. 26 is a diagram showing an exemplary data ss 
structure of Enabler of NuII-AID used in the third 
embodiment of the present invention. 
Fig. 27 is a diagram showing a first exemplary appli- 



cation of the third embodiment of the present inven- 
tion. 

Rg. 28 is a diagram showing a second exemplary 
application of the third embodiment of the present 
invention. 

Fig. 29 is a diagram showing an exemplary data 
structure of God- AID used in the fourth embodi- 
ment of the present invention. 
Rg. 30 is a diagram showing a first exemplary appli- 
cation of the fourth embocfiment of the present 
invention. 

Rg. 31 is a diagram showing a second exemplary 
application of the fourth embodiment of the present 
invention. 

Rg. 32 is a flow chart for a member anonymous 
identification checking processing according to the 
fifth embodiment of the present invention. 
Rg. 33 is a diagram showing an overall configura- 
tion of a communication system according to the 
sixth ernborJBment of the present invention. 
Rg. 34 is a diagram showing exemplary data struc- 
tures of an official identification, a link information 
attached anonymous identification, and a link spec- 
ifying 1 -to-1 personalized access ticket according to 
the sixth embodiment of the present invention. 
Rg, 35 is a flowchart for a Gnk trrformation attached 
anonymous id entificati on generation processing at 
a certification authority accorcSng to the sixth 
embodiment of the present invention. 
Rg. 36 is a flow chart for a fink specifying 1-to-1 
personalized access ticket generation processing 
at an anonymous directory service accorcBng to the 
sixth embodiment of the present invention. 
Fig. 37 is a flow chart for a mail access control 
processing at a secure ccmmunicafion service 
according to the sixth embedment of the present 
invention. 

Rg. 38 is a flow chart for an anonymous identifica- 
tion identity judgement processing at a secure com- 
munication service according to the sixth 
embodiment of the present invention. 
Rg. 39 is a diagram showing exemplary data struc- 
tures of data used in the anonymous identification 
identity judgement processing of Rg. 38. 
Rg. 40 is a diagram showing exemplary data struc- 
tures of an official identification, a link information 
attached anonymous identification, and a link spec- 
ifying 1-to-N personalized access ticket according 
to the seventh embodiment of the present inven- 
tion. 

Rg. 41 is a diagram showing exemplary data struc- 
tures of a link information attached anonymous 
identification and an enabler according to the sev- 
enth ernbodiment of the present invention. 
Rg. 42 is a first exemplary system configuration 
that can be used in the seventh embodiment of the 
present invention. 

Rg. 43 is a second exemplary system conf iguration 
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thai can be used in the seventh embodiment of the 
present invention. 

Fig. 44 is a third exemplary system configuration 
that can be used in the seventh embodiment of the 
present invention. 

Hg. 45 is a fourth exemplary system configuration 
that can be used in the seventh embodiment of the 
present invention. 

Fig. 46 is a fifth exemplary system configuration 
that can be used in the seventh embodiment of the 
presort invention. 

Rg. 47 is a sixth exemplary system configuration 
that can be used in the seventh embodiment of the 
present invention. 

Fig. 48 is a seventh exemplary system configura- 
tion that can be used in the seventh embodiment of 
the present invention. 

Fig. 49 is a flow chart for a link specifying anony- 
mous identification list generation processing (for 
MakePAT, MergePAT, SptitPAT and Trans PAT) 
according to the seventh embodiment of the 
present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0143] Referring nw to Fig. 1 to Fig. 7, the first 
embodiment of the email access control scheme 
accorc5ng to the present invention will be described in 
detail 

[0144] The email access control scheme of the 
present invention enables bidirectional communications 
between a sender and a recipient appropriately while 
maintaining anonymity of a sender and a recipient on a 
communication network. Basically, this is realized by 
disclosing only information indicative of characteristics 
of recipients in a state of concealing true identifiers of 
the recipients, and assigning limited access rights with 
respect to those who wish to carry out communications 
while maintaining the anonymity according to the dis- 
closed informatioa 

[0145] More specifically, an Anonymous Identification 
(abbreviated hereafter as AID) that functions as a role 
identifier in which a personal information is concealed is 
assigned to a user, and this AID is disclosed on the net- 
work in combination with an information indicative of 
characteristics of the user such as his/her interests, 
age. job, etc., which cannot be used in identifying the 
user on the network but which can be useful for a 
sender in judging whether or not it is worth communicat- 
ing with that user. 

[0146] Also, the sender can search out a recipient with 
whom he/she wishes to communicate by reading or 
searching through the disclosed information. Namely, in 
the case where the sender wishes to communicate with 
a recipient while maintaining his/her own anonymity, the 
sender specifies the AID of that recipient and acquires a 
Personalized Access Ticket (abbreviated hereafter as 



PAT). The PAT contains the AIDs of the sender and the 
recipient as well as rnlorrnation regardng a transfer cen- 
tred f teg and a vaifcfity period. The transfer control flag is 
used in order to determine whefrter a Secure Ccmmuni- 

5 cation Service (abbreviated hereafter as SCS) to be 
described below carries out the authentication with 
respect to the sender. Namely, when the transfer control 
flag is set ON. the SCS wffl carry out the authentication 
such as signature verification for example, with respect 

io to the sender at a time of the connection request On the 
other hand, when the transfer control flag is set OFF. the 
SCS will give the connection request to a physical com- 
munication network to which the SCS is connected, 
without carrying out the authentication. In other words. 

is the transfer control is used in order to verify whether or 
not the AID is properly utilized by the user to whom H is 
allocated by a Certification Authority (abbreviated here- 
after as CA). 

[0147] In the communication network reafizing foe 

20 email access control scheme of the present invention, 
the assignment of AIDs with respect to users, the main- 
tenance of information disclosed in combination with 
AIDs, the issuance of PATs. and the email access con- 
trol based on PATs are realized by separate organ iza- 

25 forts. This is because it is more convenient to realize 
them by separate organizations from a perspective of 
maintaining the security of the entire network, since 
security levels to be maintained in relation to respective 
actions are different Note however that the mairrte- 

30 nance of the disclosed information and the issuance of 
RATs may be realized by the same organization. 
{0148] Rg. 1 shows an overall configuration of a com- 
munication system in this first embodiment, which is 
directed to the erred service on internet or Intranet 

35 [0149] In Fig. 1, the CA (Certification Authority) 1 has 
a right to authenticate an Official Identification (abbrevi- 
ated hereafter as OID) that identifies each individual 
and a right to issue AIDs. and functions to generate 
AIDs from OlDs and allocate AIDs to users 3. 

40 [0150] The SCS (Secure Communication Service) 5 
judges whether or not to admit a connection in response 
to a connection request by an email from a user 3, 
according to the PAT (Personalized Access Ticket) pre- 
serried from a user 3. The SCS 5 also rejects a connec- 

45 tk>n request by an email according to a request from a 
user 3. The SCS 5 also judges the identity of OlDs 
according to a request from a user 3. 
[01 51 ] An Anonymous Directory Service (abbreviated 
hereafter as ADS) 7 is a database for managing the 

so AID. the transfer control flag value, the validity period 
value, and the disclosed information (such as interests, 
which can be regarded as requiring a lower secrecy 
compared with a personal information such as name, 
telephone number, and real email address) of each user 

£s 3. The ADS 7 has a function to generate the PAT from 
the AID of a user 3 who presented search conditions, 
the AID of a user 3 who has been registering the dis- 
closed information that matches the search conditions 
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in the ADS 7, the transfer control flag value given from a 
user 3 or admin is trators of the AOS, and the vafidrty 
period value given from a user 3 or administrators of the 
ADS. and then allocate the PAT to a user 3 who pre- 
sented the search conditions. 5 
[0152] First, a series of processing from generating 
the AID from the OID according to a request from a user 
until allocating the AID to that user will be descrbed 
[01 53] Fig. 2 shows exemplary formats of the OID, the 
AID, and the PAT As shown in a part (a) of Fig. 2, the ic 
OID is an information comprising an arbitrary character 
string according to a rule by which the CA 1 can 
uniquely identify the user and a public key, which is 
signed by the CA 1 using a secret key of the CA 1. 
[0154] Also, as shown in a part (b) of Fig. 2, the AID is is 
an information comprising fragments of the OID and 
their position information, redundant character strings, 
and an SCS information given by an arbitrary character 
string (host name, real domain name, etc.) by which a 
host or a domain that is operating the SCS 5 can be 20 
uniquely identified on the network, which is signed by 
the CA 1 using the secret key of the CA 1. 
[0155] Also, as shown inapart (c) of Fig. 2, the PAT is 
an information comprising the transfer control flag, 
AJDfl, AID 1a and the validity period, which is signed by 25 
the ADS 7 using a secret key of the ADS 7. Here, the 
transfer control flag value is defined to take either 0 or 1 . 
Also, the validity period is defined by any one or combi- 
nation of the number of times for which the PAT is avail- 
able, the absolute time (UTC) by which the ROT 30 
becomes unavaflabte, the absolute tone (UTC) by which 
the PAT becomes available, and the relative time (life- 
time) since the PAT becomes available until it becomes 
unavailable, 

[0156] Note that as will be explained in the subse- as 
quent embodiments described below, in addition to the 
1-to-1 PAT which sets one sender and one recipient in 
correspondence as described above, the present inven- 
tion can also use a 1-to-N PAT which sets one sender 
and N recipients, as well as a link specifying PAT which ao 
specifies the AID by a link information that is capable of 
specifying the AID instead of specifying the AID itself in 
the PAT The link specifying PAT can be either a link 
specifying 1-to-1 PAT or a link specifying 1-to-N PAT 
depending on the correspondence relationship between as 
the sender and the recipients as described above. 
Namely, the PAT of the present invention can be given in 
four types: 1-to-1 PAT. 1-to-N PAT. link specifying 1-tr>1 
PAT. and link specifying 1 -to-N RAT. 
[0157] Next, a procedure by which the user 3 requests so 
the AID to the CA 1 will be descrfoed. The user 3 gener- 
ates a pair of a secret key and a public key. Then, the 
user 3 and the CA 1 carries out the bidirectional authen- 
tication using the OID of the user 3 and the certificate of 
the CA 1 , and the user 3 transmits the public key to the 55 
CA 1 by arbitrary means. Here, there can be cases 
where communications between the user 3 and the CA 
1 are to be encrypted. 



[0158] Next, a procedure by which the CA 1 issues the 
AID to the user 3 rn response to a request for the AID as 
described above will be described. Upon receiving the 
public key from the user 3. the CA 1 generates the AID. 
Then, the CA 1 transmits the AID to the user 3 by arbi- 
trary means. Upon receiving the AID from the CA 1, the 
user 3 stores the received AID into its storage device. 
Here, there can be cases where corrtmunications 
between the user 3 and the CA 1 are to be encrypted. 
[Oi 59] Next the AID generation processing at the CA 
will be descrfced with reference to Fig. 3. 
[0160] In the procedure of Fig. 3. the CA 1 generates 
an information of a length equal to the total length L of 
the OID. and sets this information as a tentative AID 
(step S91 1). Then, in order to carry out the partial cop- 
ying of the OID, values of parameters p, and t\ for spec- 
ifying a copying region are otaermined using arbitrary 
means such as random number generation respectively 
(step S9 13). Here. L is equal to the total length L of the 
OID, and t\ is an arbitrarily defined value within a range 
in which a relationship of 0 ^ 4 * L holds. Then, an infor- 
mation "m a range between a position pj to a position pj 
+ 4 from the top ot the OID is copied to the same posi- 
tions in the tentative AID (step $915). In other words, 
this OID fragment will be copies to a range between a 
position pj and a position p, + t x from the top of tie ten- 
tative AID. Then, the values of Pj and 4 are written into a 
prescribed range in the tentative AID into which the OID 
has been partially copied, in a form encrypted by an 
arbitrary means (step S91 7). Then, an SCS information 
given by an arbitrary character string (host name, real 
domain, etc) that can uniquely identify a host or a 
domain that is operating the SCS 5 on the network is 
written into a prescribed range in the tentative AID kito 
which these values are written (step S919). Then, the 
tentative AID into which the above character string is 
written is signed using a secret key of tie CA 1 (step 
S921). 

[0161] Next, a procedure for registering the AID of a 
user-B 3 and the disclosed information into the ADS 7 
will be described. First the bidirectional authentication 
by arbitrary means using the AID of the user-B 3 and the 
certificate of the ADS 7 is carried out between the user- 
B 3 who isa registrant and the ADS 7. Then, the user-B 
3 transmits the transfer control flag value, the validity 
period value, and the disclosed information such as 
interests to the ADS 7. Then, the ADS 7 stores the 
transfer control flag value, the validity period value, and 
the entire disclosed information in relation to the AID of 
the user-B 3 in its storage device Here, there can be 
cases where communications between the user-B 3 
who is the registrant and the ADS 7 are to be encrypted. 
[0162] Next a procedure by which a user-A 3 
searches through the disclosed information that is reg- 
istered in the ADS 7 will be described. First, the bidirec- 
tional authentication by arbitrary means using the AID of 
the user-A 3 and the certificate of the ADS 7 is carried 
out between the user-A 3 who is a searcher and the 
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ADS 7. Then, the user-A 3 transmits arbitrary search 
conditions to the ADS 7. Then, the ADS 7 presents all 
the received search conditions to "rts storage device, and 
extracts the AID of a registrant which satisfies these 
search conditions. Then, the ADS 7 generates the RAT 5 
from the AID of the user-A 3 f the AID of the registrant 
who satisfied at) the search conditions, the transfer con- 
trol flag value, and the vaficfity period value. Then, the 
ADS 7 transmits the generated PAT to the user-A 3. 
Here, there can be cases where communications w 
between the user-A 3 who ts a searcher and the ADS 7 
are to be encrypted Note that the 1-to-l PAT is gener- 
ated as a search result of the ADS 7. 
10163) Next, the 1-to-1 PAT generation processing at 
the ADS 7 will be described with reference to Rg. 4. is 
[0164] First, an information of a prescribed length is 
generated, and this information is set as a tentative RAT 
(step S1210). Then, the AID of the user-A 3 who is a 
searcher and the AID of the user-B 3 who is a registrant 
are copied into a prescribed region of the tentative RAT 20 
(step S1215). Then, the transfer control flag value and 
the validity period value are written into respective pre- 
scribed regions of the tentative PAT into which the AlDs 
are copied (step S1217). Then, the tentative RAT into 
which these values are written is signed using a secret 2s 
key of the ADS 7 (step S1219). 
[0165] Next, the transfer control using the l-to-1 PAT 
wiO be described. The transfer control is a function for 
limiting accesses to a user who has a proper access 
right from a third person to whom the PAT has been so 
transferred or who has eavesdropped the PAT (a user 
who originally does not have the access right). 
[0166] The ADS 7 and the user-B 3 of the registrant 
AID can prohibit a connection to the user-B 3 from a 
third person who does not have the access right by set- 3s 
ting a certain value in to the transfer control flag of the 
PAT 

[01 67] When the transfer control flag value is set to be 
1 . the sender's AID is authenticated between the SCS 5 
and the sender according to an arbitrary chal- *o 
lenge/response process, so that even if the sender 
gives both the sender's AID and the PAT to another user 
other than the sender, that another user will not be able 
to make a connection to the registrant of the ADS 7 
through the SCS 5. 45 
[0168] On the other hand, when the transfer control 
flag value is set to be 0, no challenge/response process 
wiO be carried out between the SCS 5 and the sender, 
so that if the sender gives both the sender's AID and the 
PAT to another user other than the sender, that another so 
user will also be able to make a connection to the regis- 
trant of the ADS 7 through the SCS 5. 
[0169] Next the email access control method at the 
SCS 5 will be descrfoed with reference to Rg. 5. 
[0170] The sender specifies Isender's AID]@[real ss 
domain of SCS of sender]" in From: line, and 
"[PAT]@[real domain of SCS of sender]" in To: line. 
[0171] The SCS 5 acquires a mail received by an MTA 



(Message Transfer Agent) such as SMTP (Simple Mail 
Transfer Protocof), and executes the processing of fig. 
5 as follows. 

(1) The signature of the RAT is verified using a pub- 
Be key of the ADS 7 (step S1413). 

When the PAT is found to have been altered 
(step Si 41 5 YES), the mail is cGscarded and the 
processing is terminated (step S1 41 6). 

When the PAT ts found to have been not altered 
(step S1415 NO), the following processing (2) is 
executed. 

(2) The search is carried out by presenting the 
sender's AID to the PAT (steps S1417, S1419. 
S1421). 

When an AID that completely matches with the 
sender's AID is not contained in the PAT (step 
Si 423 NO), the mail is discarded and the process- 
ing ts terminated (step S1416). 

When an AID that completely matches with the 
sender's AID is contained in the RAT (step S1423 
YES), the following processing (3) is executed. 

(3) The validity period value of the PAT ts evaluated 
(steps S1425. S1427). 

When the RAT is outside the validity period 
(step S1427 NO), the maS is discarded and the 
processing is terminated (step S1416). 

When the PAT ts within the validity period (step 
SI 427 YES), the following processing (4) is exe- 
cuted. 

(4) Whether or not to authenticate the sender is 
deterrnined by referring to the transfer control ftag 
value of the PAT (steps S1431. S1433). 

When the value is 1 (step S1433 YES), the 
crta&enge/response authentication between the 
SCS 5 and the sender is carried out and the signa- 
ture of the sender is verified (step S1435). When 
the signature is vafid. the recipient is specified and 
the PAT is attached (step S1437). When the signa- 
ture is invalid, the mail is discarded and the 
processing is terminated (step S1416). 

When the value is 0 (step S1433 NO), the 
recipient is specified and the RAT is attached with- 
out executing the chaOenge/response authentica- 
tion (step S1 437). 

[0172] Next an exemplary challenge/response 
authentication between the SCS 5 and the sender will 
be described. 

101 73] First the SCS 5 generates an arbitrary infor- 
mation such as a timestamp. for example, and transmits 
the generated information to the sender. 
[01 74] Then, the sender signs the received informa- 
tion using a secret key of the sender's Al D and transmits 
it along with a public key of the sender's AID. 
[0175] The SCS 5 then verifies the signature of the 
received information using the public key of the sender's 
AID. When the signature is valid, the recipient is speci- 
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tied and the PAT is attached. When the signature is 
invalid, the maO is discarded and the processing is ter- 
minated. 

[0176] Next, a method tor specifying the recipient at 
the SCS 5 will be described. First the SCS 5 carries out 5 
the search by presenting the sender's AID to the PAT, so 
as to acquire all the AIDs which do not completely 
match the sender's AID. AO these acquired AIDs will be 
defined as recipient's AIDs hereafter. Then, for every 
recipient's AID, the real domain of SCS of recipient is io 
taken out from the recipient's AID. Then, the recfcient is 
specified in a format of "[recipient's AID]@[reaJ domain 
of SCS of recipient]". Finally, the SCS 5 changes the 
sender from a format of "[sender's AID](3>[real domain 
of SCS of sender]" to a format of "sender's AID". 75 
[0177] Next, a method for attaching the PAT at the 
SCS 5 will be described. The SCS 5 attaches the PAT to 
an arbitrary position in the mail. The SCS 5 gives the 
mail to the MTA after specifying the sender and the 
recipient and attaching the PAT 20 
[0178] Note that ail the processings descnoed above 
are the same in the case of the 1-to-N PAT 
[0179] Next a method of receiving refusal with 
respect to the PAT at the SCS 5 will be described. 
[0180] Receiving refusal setting: The bidirectional 2s 
authentication is carried out by an arbitrary means 
between the user and the SCS 5. Then, the user trans- 
mits a registration command, his/her own AID, and arbi- 
trary PATs to the SCS 5. Then, the SCS 5 verifies the 
signature of the received AID. H the signature is invafid, 30 
the processing of the SCS 5 ts terminated. If the signa- 
ture is valid, the SCS 5 next verifies the signature of 
each received PAT using a public key of the ADS. Those 
PATs with the invalid signature are discarded by the 
SCS 5. When the signature is valid, the SCS 5 carries as 
out the search by presenting the received AID to each 
PAT. For each of those PATs which contain the AID that 
completely matches with the received AID, the SCS 5 
presents the registration command and the PAT to the 
storage device such that the PAT is registered into the ao 
storage device. Those PATs which do not contain the 
AID that completely matches with the received AID are 
discarded by the SCS 5 without storing them into the 
storage device. Here, there can be cases where com- 
munications between the user and the SCS 5 are to be <s 
encrypted. 

[01 81 ] Receivi ng refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a RAT that completely matches the pre- 
sented PAT is registered in the storage device, the mail so 
is discarded. When a PAT that completely matches the 
present PAT is not registered in the storage device, the 
mail is not discarded. 

[0182] Receiving refusal cancellation: The bidirec- 
tional authentication is carried out by an arbitrary ss 
means between the user and the SCS 5. Then, the user 
presents his/her own AID to the SCS 5. Then, the SCS 
5 verifies the signature of the received AID. ff the signa- 



ture is invalid, the processing of the SCS 5 is termi- 
nated. If the signature is valid, the SCS 5 next presents 
the presented AID as a search condition to the storage 
device and acquire afl the PATs that contain the pre- 
sented AID, and men presents all the acquired PATs to 
the user. Then, the user selects aO the PATs for which 
the receiving refusal is to be cancelled by referring to aii 
the PATs presented from the SCS 5. and transmits ail 
the selected PATs along with a deletion command to the 
SCS 5. Upon receiving the deletion command and all 
the PATs for which the receiving refusal is to be can- 
celled, the SCS 5 presents the deletion command and 
all the PATs received from the user to the storage 
device, such that afl the received PATs are deleted from 
the storage device. 

[0183] Note that the method of receiving refusal with 
respect to the 1-to-N PAT at the SCS 5 is the same as 
the method of receiving refusal with respect to the 1-tc- 
1 PAT described above 

[0184] Note also the the case of returning of a mail 
from the user-8 to the user-A is the same as in the case 
of tr ansmi t ting a maa from the user-A to the user-R 
[0185] Next the Judgement of identity wiS be 
descrtoed with reference to Rg. 6 and Fig. 7. 

(1) An initial value of a variable OID M is defined as 
a bit sequence with a length equal to the total length 
L of the OtD and aH values equal to "0". Also, an ini- 
tial value of a variable OtDy is defined as a bit 
sequence with a length equal to the total length of 
the Ol D and all values equal to T" (step S2511). 

(2) One AiD is selected from a set of processing tar- 
get AIDs, and the following bit processing is carried 
out (step S2S13). 

(a) Values of variables AID M and AlDy are 
determined according to the position informa- 
tion contained in the AID (step S2515). Here, 
At Dm is defined as a bit sequence with a length 
equal to the total length L of the OID and a 
value of a position at which the OID information 
is defined is T while a value of a position at 
which the OID information is not defined is TT 
(see Fig. 7). Also. AlDv is defined as a bit 
sequence with a length equal to the total length 
L of the OID and a value of a position at which 
the OID information is defined is an actual 
value of the OID information while a value of a 
position at which the OID information is not 
defined is 0 (see Fig. 7). 

(b) AND processing of OID M and AID M is car- 
ried out and its result is substituted into a varia- 
ble OVRM(step S2517). 

(c) AND processing of OVRm and AID M as well 
as AND processing of OVR M and OID M are 
carried out and their results are compared 
(step S2S19). When they coincide. OR 
processing of OID M and AID M is carried out 
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and its result is substituted into OID M (step 
S2521). wtrte OR processing of OlDy and AiDy 
is also earned out and its result Is substituted 
into OIDm (step S2523). On the other hand, 
when they do not coincide, the processing pro- 
ceeds to the step S2525. 

(d) An AID to be processed next is selected 
from a set of processing target AIDs. When at 
least one another AID is contained in the set 
the steps S2513 to S2523 are executed for that 
another AID. When no other AID is contained in 
the set the processing proceeds to the step 
S2527. 

(e) Values of OID M and OlDy are outputted 
(step S2527). 

[0186] The value of OIDm that is eventually obtained 
indicates all positions of the OID information that can be 
recovered from the set of processing target AIDs. Also, 
the value of OlDy that is eventually obtained indicates 
ail the OID information that can be recovered from the 
set of processing target AID. In other words, by using 
the values of OIDm and OlDy. it is possible to obtain the 
OID albeit probabilistically when the value of OlDy is 
used as a search condition, and it is possible to quanti- 
tatively evaluate a precision of the above search by a 
ratio OIDm/L with respect to the total length L of the OID. 
[0187] As described above, in this first embodiment 
the CA 1 which is a Trusted Third Party with high 
secrecy and credibility generates the AID in which the 
personal information is concealed, from the OID that 
contains the highly secret personal information such as 
name, telephone number, real email address, etc.. 
according to a user request and issues the AID to the 
user. By identifying the user by this AID on the commu- 
nication network as well as in various services provided 
on the communication network, it becomes possible to 
provide both the anonymity guarantee and the identity 
guarantee for the user. In other words, it becomes pos- 
sible for the user to communicate with another user 
without revealing the own real name, telephone number, 
email address, etc., to that another user, and it also 
becomes possible to cfeclose the disclosed information 
to unspecified many through the ADS 7 as wiS be 
described below. 

[0188] The user registers the disclosed information, 
that is an information which is supposed to have a low 
secrecy compared with the personal information at the 
ADS 7. In the case of searching the disclosed informa- 
tion and the registrant AID, the searcher presents the 
AID of the searcher and arbitrary search conditions to 
the ADS 7. The ADS 7 then extracts the registrant AID 
that satisfies these search conditions, and generates 
the PAT from the AlO of the searcher and the AID of the 
registrant who satisfied the search conditions, the trans- 
fer control flag value, and the validity period value. 
[0189] in this 1 -to-1 PAT, the transfer control flag value 
and the validity period value are set as shown a part (c) 



of Fig. 2. and by setting up the vaficfrty period in 
advance, it is possible to limit connections from the 
sender. 

[0190] ft is also possible to prohibit connections from 

5 a third person who does not have me access right by 
using the transfer control flag value Namely, when the 
transfer control flag value is set to be 1, the senders 
AID is authenticated between the SCS 5 and the sender 
according to an arbitrary challenge/response process, 

w so that even if the sender gives both the senders AID 
and the PAT to another user other than the sender, that 
another user will not be able to make a connection to 
the registrant of the ADS 7 through the SCS 5. On the 
other hand, when the transfer control flag value is set to 

is be 0, no chaflenge/response process w3l be carried out 
between the SCS 5 and the sender, so that if the sender 
gives both the sender's AID and the PAT to another user 
other than the sender, that another user will also be able 
to make a connection to the registrant of the AOS 7 

20 through the SCS 5. 

[0191] It is also possfcte to make a connection request 
to the comrrajnication network such that a caP for which 
the recipient is specified by the vto-1 PAT will be 
received by the recipient's AID or the senders AID 

25 defined within the PAT. In addition, it is also possible to 
refuse receiving calls with the t-to-1 PAT selected by 
the recipient among calls which are spectfied by the 1- 
to-1 PAT tt is also possible to cancel the receiving 
refusal of the calls with the 1-to-1 PAT selected by the 

so recipient In addition, as a measure against the sender 
who repeats me personal attach using a plurality of 
sender's AIDs by taking an advantage of the an onymity, 
it is possfcJe to judge me identity of the Off) from these 
plurality of sender's AIDs and ri is possible to extract that 

35 OID at some probability. 

[0192] Next, with references to Rg. 8 to Fig, 24. the 
second embodiment of the email access control 
scheme according to the present invention will be 
described in detail. 

*o [0193] In contrast to the first embodiment described 
above which is directed to the case where a sender and 
a recpient are set in 1-to-1 correspondence, this sec- 
ond embodiment is directed to the case where a sender 
and recipients are set in Vto~N correspondence and a 

45 generation of a new PAT and a content change of the 
existing PAT can be made by the initiative of a user. 
Here, the sender is either a holder of the PAT or a mem- 
ber of the PAT. Similarly, the recipient is either a holder 
of the PAT or a member of the PAT. 

so [01 94] in general, a membership of a group communi- 
cation (mailing list, etc.) is changing dynamically so that 
it is necessary tor a host of the group communication to 
manage information on a point of contact such as tele- 
phone number, email address, etc., of each member. In 

ss contrast, in the case where it is only posstole to newly 
generate a 1-to-t PAT as in the first embodiment the 
management of a point of contact is difficult. For exam- 
ple, it is difficult to manage the group collectively and 
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even if it is given to the others for the purpose of the 
transfer control, h does not function as an address of the 
group communication such as mailing list 
[0195] In this second embodiment in order to resolve 
such a problem, it is made possible to carry out a gen- s 
eration of a new 1-to-N PAT and a content change or the 
existing 1 -to-N PAT by the initiative of a user. 
[0195] First, the definition of various identifications 
used in this second embodiment will be described with 
references to Fig. 8 and Fig. 9. io 
[0197] As shown in a part (a) of Rg. 8, the OID is an 
information comprising an arbitrary character string (tel- 
ephone number, email address, etc.) according to a rule 
by which the CA 1 can uniquely identify the user and a 
public key, which is signed by the CA 1. is 
[0198] Also, as shown in a part (b) of Rg. 8, the AID is 
an information comprising fragments of the OID and 
their position information, redundant character strings, 
and an SCS information given by an arbitrary character 
string (host name, real domain name, etc.) by which a 20 
host or a domain that is operating the SCS 5 can be 
uniquely identified on the network, which is signed by 
theCAL 

[0199] Also, as shown in a part (c) of Rg. 8, the Vto- 
N PAT is an information comprising two or more AIDs, a 25 
holder index, the validity period, the transfer control flag, 
and a PAT processing device identifier, which is signed 
using a secret key of the PAT processing device. 
[0200] Here, one of the AOs is a holder AID of this 
PAT, where the change of the information contained in 30 
the PAT such as an addition of AID to the PAX a deletion 
of AID from the PAT. a change of the validity period in 
the PAT, a change of the transfer control flag value in the 
RAT, eta, can be made by presenting the holder AID 
and a corresponding Enabler to the PAT processing ss 
device. 

[0201] On the other hand, the AIDs other than the 
holder AID that are contained in the PAT are all member 
AIDs, where a change of the information contained in 
the PAT cannot be made even when the member AID 40 
and a corresponding Enabler are presented to the PAT 
processing device. 

[0202] The holder index is a numerical data for identi- 
fying the holder AID, which is defined to take a value 1 
when the holder AID is a top AID in the AID list formed 45 
from the holder AID ami the member AIDs, a value 2 
when the holder AID is a second AID from the top of the 
AID list or a value n when the holder AID is an n-th AID 
from the top of the AID list. 

[0203] The transfer control flag value is defined to take sc 
either 0 or 1 sirnaarty as in the case of the 1-to-1 RAT. 
[0204] The holder AID is defined to be an AID which 
is written at a position of the holder index value in the 
AID list The member AIDs are defined to be all the AIDs 
other than the holder AID. 55 
[0205] The validity period is defined by any one or 
combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which the PAT 



becomes unavailable, the absolute time (UTC) by which 
the PAT becomes avaSable, and the relative time (fife- 
time) since the PAT becomes available until it becomes 
unavailable. 

[0206] The identifier of a PAT processing device (or a 
PAT processing object on the network) is defined as a 
serial number of the PAT processing device (or an dis- 
tinguished name of the PAT processing object on the 
network). The secret key of the PAT processing device 
(or the PAT processing object on the network) is defined 
to be uniquely corresponding to the identifier. 
[0207] Also, in this second embodiment an Enabler is 
introduced as an identifier correspond ng to the AID. As 
shown in Fig. 9. the Enabler is an information compris- 
ing a character string uniquely indicating that it is an 
Enabler and an AID itself, which is signed by the CA 1 . 
[0208] Next the operations for a generation of a new 
RAT and a content change of the existing RAT will be 
described. Here, the following operations are defined at 
a secure PAT processing device on the communication 
terminal or a PAT processing object on the CA or on a 
network which is property requested from the CA (which 
will also be referred to as a RAT processing device here- 
after). 

1. Editing of AID list: 

A fist of AIDs (referred hereafter as an AID fet) 
contained in the RAT is edited using AIDs and Ena- 
bler. Else, the AID fist is newly generated. 

2. Setting of the validity period and the transfer con- 
trolftag: 

The validity period value and the transfer con- 
trol flag value contained in the PAT are changed 
using an AID and Enabler. Also, a new vaSdtty 
period value and a new transfer control flag value 
are set in the newty generated AID fist 

[0209] A user who presented the holder AID and the 
Enabler corresponding to this holder AID to the PAT 
processing device can edit the fet of AIDs contained in 
the PAT In this case, the following processing rules are 
used. 

(1) Generatinga new PAT (MakePAT) (see Fig. 10): 
The AID list (ALIST<holder AID | member AID 1 , 

member AID 2 . member AlD n >) is 

newly generated, and the validity period value and 
the transfer control flag value are set with respect to 
the generated ALIST 

AID A + A!D B + Enabler of AID B + Enabler of 
AID A 

->ALIST<AID a |AIDb> 

ALIST<AID a | AID B > + Enabler of AID A 

+ validity period value 
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+ transfer control flag value 

->PAT<AID A |AID B > 

(2) Merging PATs (MergePAT) (see Fig. 11): s 

A plurality of AUSTs of the same holder AID 
are merged and the validity period value and the 
transfer control flag value are set with respect to the 
merged ALIST. 

10 

ALIST<AID A | A!D B1l AID^. > 

+ ALIST<AID A | AID C1 , MD^ > 

+ Enabler of AID A 75 

ALIST<AID A | AID B1 . AID^. , 

AIDd. AIDcg, > 

ALIST<AID A | AID B1 , AID^. , 20 

AID C1 , AIDc2, > 



40 

ALIST<AJD A | AIDb > + AUST<AID A | AID C1 , 
AIDc2. > 

-i- Enabler of AID A + Enabler of A1D B 

AUST<AID B | AIDct. AID^, 

> 

AUST^Db I AH> C1 , AID C2 , > 

+ Enabler of AIDb + validity period value 

+ transfer control flag value 

~» PAT<AIDb I A© C1 , AIDcg, > 

[0210] In the operation for setting the validity period 
value, in order to permit the setting of the validity period 
value only to a user who holds both the holder AID and 
the corresponding Enabler, the following operation is 
defined. 
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+ Enabler of AID A + validity period value 

+ transfer control flag value 25 

PAT<AID A | AID B1 , AIDk, , 

AID^. AIDcg, > 

(3) Splitting a PAT (SplitPAT) (see Fig. 12): so 

The ALIST is spirt into a plurality of ALISTs of 
the same holder AID, and the respective validity 
period value and transfer control flag value are set 
with respect to each one of the split ALISTs. 

ss 

ALIST<AID A I AID B1 , aid B2 . , 

AID c1f AIDc2. • • > 

+ Enabler of A!D A 



AUST<AID A | AID B1 , AIDb2, > 

+ ALIST<AID A | AID C1> AID^. * > 

ALIST<AID A I AID C1 , AID C2 , > 45 

+ Enabler of AID A + validity period value 
+ transfer control flag value 

60 

-*PAT<AID A |A!D C1 . AID C2 . > 



(4) Changing a holder of a PAT (TransPAT) (see Rg. 
13): 

The holder AID of the ALIST is changed, and 55 
the valic5ty period value and the transfer control flag 
value are set with respect to the changed ALIST 



FW<A1D A | AID B > + Enabler of AID A 

+ validity period value 

PAT<AID A | AIDs > 

[0211] In the operation tor setting the transfer control 
flag value, in order to permit the setting of the transfer 
control flag value only to a user who holds both the 
holder AID and the corresponding Enabler, the following 
operation is def tned 

PAT<AID A | AIDb > + Enabler of AID A 

+ transfer control flag value 

-+p/rr<AiD A |AiD B > 

[0212] Next, with references to Rg. 1 4 to Rg. 20, the 
overall system conf iguration of this second embodiment 
will be described. In Rg. 14 to Rg. 20, the user- A who 
has AID A allocated from the CA stores AID A and Ena- 
bler of AID A in a computer of the user-A, and the 
input/output devices such as floppy disk drive, CD-ROM 
drive, communication board, microphone, speaker, etc., 
are connected. Else, AID A and Enabler of AID A are 
stored in a communication terminal (telephone, cellular 
phone, etc.) which has a storage device and a data 
input/output function. 

[0213] Similarly, the user-B who has AID B allocated 
from the CA stores AID B and Enabler of AID B in a com- 
puter of the user-B. and the input/output devices such 
as floppy disk drive. CD-ROM drive, communication 
board, microphone, speaker, etc., are connected. Else, 
AIDg and Enabler of AID B are stored in a communica- 
tion terminal (telephone, cellular phone, etc.) which has 
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a storage device and a data input/output function. 
[0214] In the following, a procedure by which the user- 
A generates PAT<AID A | AID B > will be described. 

(1) The user-A acquires AID B and Enabier of A1D B s 
using any of the following means. 

* AID B and Enabier of AID B are registered at the 
ADS 7, and H rs waited until the user-A acquires 
them as a search result (Rg. 14). 10 

* AID B and Enabier of AID B are directly transmit- 
ted to the user-A by the email, signafing, etc. 
(Figs. 15, 16). 

* AiO s and Enabier of AlD B are stored in a mag* 
netic, optic, or electronic medium such as is 
floppy cfisk, CD-ROM, MO, IC card, etc., and 
this medium is given to the user-A. Else, it is 
waited until the user acquires them by reading 
this medium (Figs. 17, 18). 

' AID B and Enabier of AID B are printed on a 20 
paper medium such as book, name card, etc.. 
and this medium is given to the user-A. Else, it 
is waited until the user-A acquire them by read- 
ing this medium (Figs. 19. 20). 

25 

(2) The user-A who has acquired A!D B and Enabier 
of AID B by any of the means described in the above 
(1) issues the MakePAT command to the PAT 
processing device. This procedure is common to 
Fig. 14 to Hg. 20, and defined as follows, 30 

(a) The user-A requests the issuance of the 
MakePAT command by setting AID A , Enabier of 
AID A , AIDfr Enabier of AIDq, the validity period 
value, and the transfer control flag value into 35 
the communication terminal of the user-A. 

(b) The communication terminal of the user-A 
generates the MakePAT command. 

(c) The communication terminal of the user-A 
transmits the generated MakePAT command to <o 
the PAT processing device by means such as 
the email, signaling, etc. (the issuance of the 
MakePAT command). 

(d) The PAT processing device generates 
PAT<A!D A | AID B > by processing the received 45 
MakePAT command according to Fig. 21 and 
Fig. 23. More specifically, this is done as fol- 
lows, 

AID A + AID B + Enabier of AID B + Enabier so 
of AID A 

-> ALIST<AID A | AID B > 

ALIST<AID A | AIDg > + Enabier of AID A 55 

+ validity period value + transfer control 
flag value 



- ->PAT<AID a |AIDb> 

(e) The PAT processing device transmits the 
generated RAT<AID A | AID B > to tfie communi- 
cation terminal of the user A or to the commu- 
nication terminal of the user-B according to the 
need, by means such as the email, signaling, 
etc. 

(f) The communication terminal of the user-A 
(or the user-B) stores the received PAT<AID A | 
AIDb > in the storage device of the communica- 
tion terminal of the user-A. 

10215] The merging of PATs (MergePAT, Fig. 21 . Fig. 
23). the splitting of a PAT (SplrtPAT. Fig. 22, Fig. 23), and 
the changing of a holder of a RAX (TransPAT, Fig. 21. 
Fig. 23) are also carried out by the similar procedure. 
10216] Next the procedure of MakePAT, MergePAT 
and TransPAT will be described with reference to Fig. 
21. 

(1) The holder AID is specified (step S4411). 

(2) All the member AIDs are specified (step S4412). 

(3) The AID fist is generated from the specified 
holder AID and an the specified member AIDs (step 
S4413). More specifically, the specified holder AD 
and aO the specified member AIDs are concate- 
nated using arbitrary means, 

(4) A tentative RAT is generated using arbitrary 
means, srmflariy as in the case of a tentative AID 
(stepS4414). 

(5) The generated AID fist is copied to a prescribed 
region of the generated tentative PAT (step S441 5). 

(6) The holder index value is written into the tenta- 
tive pat to which the AID list has been copied (step 
S4416). 

(7) The transfer control flag value is written into the 
tentative RAT into which the holder index value has 
been written (step S4417). 

(8) The validity period value is written into the tenta- 
tive PAT into which the transfer control flag value 
has been written (step S4418). 

(9) The PAT processing device identifier is written 
into the tentative RAT into which the validity period 
value has been written (step S4419). 

(10) The tentative PAT into which the PAT process- 
ing device identifier has been written is signed 
using the secret key of the PAT processing device 
(step S4420). 

[0217] Next the procedure of SplitPAT will be 
described with reference to Fig. 22. 

(1) The holder AID is specified (step S451 1). 

(2) Ail the AIDs to be the member AIDs of the PATs 
after the splitting are specified (step S4512). 

(3) The AID list is generated from the specified 
holder AID and all the specified member AIDs (step 
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S4513). More specifically, the specified holder AID 
and all the specified member AiDs are concate- 
nated using arbitrary means. 

(4) A tentative PAT is generated using arbitrary 
means, similarly as in the case of a tentative AID s 
(step S4514). 

(5) The generated AID lest is copied to a prescribed 
region of the generated tentative PAT (step S4515). 

(6) The holder index value is written into the tenta- 
tive pat to which the AID list has been copied (step ic 
S4516). 

(7) The transfer control flag value is written into the 
tentative PAT into which the holder index value has 
been written (step S4517). 

(8) The vafidity period value is written into the tenta- is 
five PAT into which the transfer control flag value 
has been written (step S4518). 

(9) The RAT processing device identifier is written 
into the tentative PAT into which the validity period 
value has been written (step S451 9). 20 

(10) The tentative PAT into which the PAT process- 
ing device identifier has been written is signed 
using the secret key of the PAT processing device 
(step S4520). 

(11) In the case of continuing the splitting (step 2s 
S4521 YES), the procedure returns to (2), and 
repeats (2) to (10) sequentially. 

{021 8J Note that, in the procedures of Rg. 21 and Rg. 
22, the AID list generation is carried out according to 30 
Fig. 23 as follows. Namely, a buffer length is determined 
first (step S4611) and a buffer is generated (step 
S4612). Then, the holder AID is copied to a vacant 
region of the generated buffer (step S4613). Then, the 
member AID is copied to a vacant region of the resulting 35 
buffer (step S4614), and if the next member AID exists 
(step S4615 YES), the step S4614 is repeated. 
[021 9] Next the determination of the holder AID will 
be described Each of the MakePAT, the MergePAT. the 
SplitPAT, and the TransPAT commands is defined to 4c 
have two or more arguments, where AID, PAT, or Ena- 
bler can be specified as an argument In this case, the 
PAT processing device specifies the holder AID of the 
PAT to be outputted after executing each command 
according to the following rules. 45 

* Case of the MakePAT: 

For the MakePAT command, it is defined that 
AIDs are to be specified for the first argument to the 
N-th argument (N ■ 2, 3. ........ ) and Ena- so 

biers are to be specified for the N+1-th and subse- 
quent arguments. For example, they can be 
specified as follows 

MakePAT AID,, AID^ , AID N( 55 

Enabler of AID,, Enabler of AID 2 , EnabJer of 
AID N 



The PAT processing device interprets the AID 
of the first argument of the MakePAT command as 
the holder AID. 

Only when one of the Enabters of the N+1-th 
and subsequent arguments corresponds to the AID 
of the first argument the PAT processing device 
specifies this AID (that is the AID of the first argu- 
ment) as the holder AID of the PAT to be outputted 
after executing the MakePAT oommand. 

* Case of the MergePAT: 

For the MergePAT commanct it is defined that 
PATs are to be specified for the first argument to the 
N-th argument (N =2, 3. • • ) and Ena- 
bler is to be specified for the N+1-th argument. 
Namely, they can be specified as foflows, 

MergePAT PATj PAT 2 PAT N Ena- 
bler of AID 

The RAT processing device interprets the 
holder AID of the PAT of the first argument of the 
MergeFWX command as the holder AID of the PAT 
to be outputted after executing the MergePAT com- 
mand. 

Only when the Enabler of the N+1-th argument 
corresponds to the holder AID of the PAT of the first 
argument the RAT processing device specifies this 
AID (that is the holder AID of the PAT of the first 
argument) as the hoWer AID of the PAT to be out- 
putted after executing the MergeRAT command. 

* Case of the SpfitfW: 

For the Sp&PAT command, it is defined that 
RAT is to be specified for the first argument a set of 
one or more AIDs grouped together by some pre- 
scribed symbols (assumed to be parentheses 0 in 
this example) are to be specified for the second 
argument to the N-th argument (N « 3, 4, 

), and Enactor is to be specified for 

the N+1-th argument Namely, they can be speci- 
fied as follows. 

SplitPAT PAT 1 (AIDn) {AID21 AID22) 

(AID N1 AIO^ 

AIDmm) Enabler of AID 

The PAT processing device interprets the 
holder AID of the PAT of the first argument of the 
SplitPAT command as the holder AID of the PAT to 
be outputted after executing the SplitPAT com- 
mand. 

Only when the Enabler of the N+1 -th argument 
corresponds to the holder AID of the PAT of the first 
argument the PAT processing device specifies this 
AID (that is the holder AID of the PAT of the first 
argument) as the holder AID of the PAT to be out- 
putted after executing the SplitPAT command. 

* Case of the TransPAT: 

For the TransPAT command, it is defined that 
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PATs are to be specified for the first argument and 
the second argument AID is to be specif ied for the 
third argument, and E natters are to be specified for 
the fourth argument and the fifth argument Namely, 
they can be specified as follows. 5 

TransPAT PA^ PAT 2 AID Enabler of AID-i Ena- 
bler of AID 2 

The PAT processing device interprets the AID 10 
of the third argument as the holder AID of the RAT 
to be outputted after executing the TransPAT com- 
mand provided that the AID of the mind argument of 
the TransPAT command is contained in the PAT of 
the second argument 15 

Only when the Enabler of the fourth argument 
corresponds to both the PAT of the first argument 
and the PAT of the second argument and the E na- 
tter of the fifth argument corresponds to the AID of 
the third argument the PAT processing device 20 
specifies the AID of the third argument as the 
holder AID of the PAT to be outputted after execut- 
ing the TransPAT command. 

Next the determination of the member AIDs 
wHI be descrfoed The definitions of the MakePAT, 25 
the MergePAT, the SpfrtPAT, and the TransPAT com- 
mands are as described above. The PAT process- 
ing device specifies the member AIDs of the PAT to 
be outputted after executing each command 
according to the following rules. so 
Case of the MakePAT: 

Only when the holder AID of the PAT to be out- 
putted after executing the MakePAT command is 
formally determined, the PAT processing device 
interprets all the AIDs of the second and subse- ss 
quent arguments of the MakePAT command as the 
member AIDs of the PAT to be outputted after exe- 
cuting the MakePAT command. 

The PAT processing device specifies only those 
AIDs among ail the AIDs of the second and subse- 40 
quem arguments which conespond to the E natters 
specified by the N+1 -th and subsequent arguments 
as the member AIDs of the PAT to be outputted 
after executing the MakePAT command. 
Case of the MergePAT: 45 

Only when the holder AID of the PAT to be out- 
putted after executing the MergePAT command is 
formally determined, the PAT processing device 
specifies the member AIDs of all the PATs specified 
by the first to N-th arguments of the MergePAT as so 
the member AIDs of the PAT to be outputted after 
executing the MergePAT command. 
Case of the SplitPAT: 

Only when the holder AID of the PAT to be out- 
putted after executing the SplitPAT command is for- ss 
malty determined, the PAT processing device 
specifies the member AID of the PAT specified by 
the first argument of the SplitPAT convnand as the 



member AID of the PAT to be outputted after exe- 
cuting the SplitPAT command At this point the 
member AIDs are cfistrtbuted into cSfferent PATs in 
units of parentheses 0- For example, in the case of: 

SplitPAT PAT (AID in ) (AID 21 AID22) 

(AID N1 AID„2 

AID^ Enabler of AID 

(AIDn), (A1D 21 AIDjs) and (AIO N1 AID^ 

AID NM ) will be the member AIDs of cSfferent PATs hav- 
ing a common holder A1D. 
* Case of TransPAT: 

Only when the holder AID of the PAT to be out- 
putted after executing the TransPAT command is 
formally determined, the WT processing device 
specifies ail the member AIDs remaining after 
exducfing the member AID that is scheduled to be a 
new holder AID from afl the member AIDs of the 
RAT specified by the first argument of the TransPAT 
command and the member AIDs of the PAT speci- 
fied by the second argument as the member AIDs 
of the PAT to be outputted after executing the Trans- 
PAT command. 

[0220] Next the verification of the properness of the 
Enabler will be described. This verification of the prop- 
erness of the Enabler is common to the MakePAT, the 
MergePAT, the SpWFOT and frie TransPAT. and carried 
out according to Rg. 24 as foflows 

(1) AID and Enabler are entered (step S5511). 

(2) Each of these entered AID and Enabler is veri- 
fied using the pubfe; key of the CA 1 (step S5512). 
If at least one of them is altered (step S5513 YES), 
the processing is terminated 

(3} A character string tor certifying that it is Enabler 
is entered (step S5514). 

(4) The top field of the Enabler of the step S5511 
and the character string of the step S55 1 4 are com - 
pared (step S5515). If they do not match (step 
S5516 NO), the processing is terminated. 

(5) If they match (step S5S16 YES), the AID of the 
step S5511 and the AID within the Enabler are 
compared (step S5517). 

(6) A comparison result is outputted (step S5519). 

[0221] Next with references to Fig. 25 to Rg. 28, the 
third embodiment of the email access control scheme 
according to the present invention will be described in 
detail. 

[0222] In the generation of a new RAT (MakePAT) and 
the PAT holder change (TransPAT) of the above 
described embodiment, it is necessary to give member 
AIDs and Enablers of member AIDs to the holder of the 
PAT, but when they are given to the holder, it becomes 
possible for that holder to participate the group commu- 
nications hosted by the other holders by using the 
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acquired member AIDs. Namely, there arises a problem 
that the pretending using the member AIDs become 
possible- Moreover, if that holder places the acquired 
member AIDs and Enabters of member AIDs on a 
medium that is readable by unspecified many, these 
member AIDs become accessfole to anyone so that 
there arises a problem that the harassment to the users 
of the member AIDs may occur and the pretending 
using the member AIDS by a third person also become 
possible. 

[0223) For this reason, in this third embodiment it is 
made possible to carry out the MakePAT and the Trans- 
PAT without giving the Enabiers of member AIDs to the 
holder. 

[0224] To this end, in this third embedment, the gen- 
eration of a new PAT and the content change of the 
existing PAT are carried out by using Null-AID (AID Nua ) 
and Enabler of Null-AID {EnaUer of AID^ 
[0225] Here, the processing involving the Null- AID 
obeys all of the following rules: 

(a) the processing rules of MakePAT, MergePAT, 
SpfitPAT and TransPAT as in the above descrtoed 
embodiment; and 

(b) the rules applicable only to the Null-AID. includ- 
ing: 

(i) Null-AID is known to every user, and 

(it) Enabler of Null-AID is known to every user. 

[0226] Here, the processing rules as def ined in the 
above described embodiment in the case of this third 
embodiment will be described. 

(1) Making a PAT from plural AIDs (MakePAT): 

AID holder + MQmen*»rl +AID member2 + 
+ A,D membefW 

+ Enabler of AIDn^nberi + EnaUer of 
AID,™^** 

+ EnaUer of AID memberN + Enabler of AID^, 

-> PAT<AIDbo U8r | AID membor1 , AIDn^n^, 
» AlD mamberN > 

(2) Merging plural PATs of the same holder (Merge- 
PAT): 

PATcAIDtoUer | AID membera1 . AID mombera2 . 
» AIDroenTb^M > 

+ PATcAIDtekfcr | AID^mbert,!, AID memberb2 . 
' * • . AIDmembeitoN > 

+ EnaUer of AID hokjer 



-> PAT^IDhoide, | AID membera1 . AID membej a 2 . 

A'DmorrtoaM. A© membert > 1 . 

AIDmembortfi. ■ ^moni»iW > 

s (3) Splitting a PAT into plural PATs of the same 
holder (SpfitFWT): 

PAT<A!D hoWef | AID ITOmbefHl , AID^nfce^. 

AID^nn^n^ AID^n^^. 

10 AIDynembertfi. AtOm^^t* > 

+ Enabler of AIDhoi^ 

-> PAT^IDhoUe, | AID mefnbera1 . AlD membera 2, 
15 AID nwrt5eraM > 

+ PAT^IDhokto- | AIDn^nbert^ AID^^,^, 
. AlDmenteeTbN > 

20 (4) Changing a holder AID of a PAT (TransPAT): 

PAIVAIDhoUer | AID mefffeam1) AIDn^rt^^. 
AlD^^nfaemM > + PA^cAID^, 

25 

+ EnaUer of AID hoid4r + Enabler of AlOn^*^ 

-* PAT<AID n9WhoJdGf | AID,^^^, 
AID ment)0ra 2. , MDmanixxBM > 

30 

[0227] The method for specifying the validity period 
value and the transfer control flag value m the PAT con- 
taining the Nufl-AID is similar to the method for specify- 
ing the validity period value and the transfer control flag 
55 value in the second embocSment described above. 
Next, the exemplary processings involving the Null-AID 
wffl be described. 

(1) Case of producing PAT^ID^ | AID A > from 
40 AID A and Enabler of AID A : 

(a) According to the above described rules 

(b) (i) and (b)(5) of the Null-AID, AID^ and 
EnaUer of AID NuJ} are known. 

45 (b) Using MakePAT, 

AIDnuh + A!D A + EnaUer of AID A + EnaUer 
of AID^ 

50 -» PAT<AID Nul , | AID A >. 

(2) Case of producing PAT<AID Nul , | AID A , AIDb > 
from PAT^IDmuk | AID a > and PAT<AID Nu „ | AID B 
>: 

£5 

(a) According to the above described rules 

(b) (i) and (to)(n) of the Null-AID, AID NuB and 
Enabler of AID^t are known. 
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(b) Using MergePAT 

PAT<AID Nufl | AID A > 4 PAT<AID NuI! | AJD B 
> 

5 

+ Enabler of AID NuJ1 
-*PAT<AIDn uII |AID a> AID b >. 

(3) Case of producing PAT<AID A | AID B > from w 
PAT<AID Nufl | A!D A >, PATVAID^, | AID B > and 
Enabler of AID A : 

(a) According to the above described rules 

(b) (i) and (b)(ii) of the Null-AID, AID Nuq and 75 
Enabler of AID Nufl are know. 

(b) Using TransPAT, 



PAT<AID Nua I AID A > + PAT<AID Nul , I AI0 B 
> 

+ Enabler of AID NuB + Enabler of AID A 
-> PAT<AID A I AID B >. 
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[0228] As shown in Fig. 25. the data structure of the 
Null-AID comprises a character string uniquely indicat- 
ing that it is Null-AID (a character string defined by the 
CA. for example), which is signed by the CA using the 
secret key of the C A. & 
10229} Also, as shown in Rg. 26, the data structure of 
the Enabler of Null-AID comprises a character string 
uniquely indicating that it is Enabler (a character string 
defined by the CA, for example) and the Null-AID itself, 
which is signed by the CA using the secret key of the ss 
CA. 

[0230] Note that the Null-AID and the Enabler of Null- 
AID are maintained at secure PAT processing devices 
and secure PAT certification authority. 
[0231] Next, the first exemplary application of this third <c 
embodiment will be described with reference to Rg. 27, 
which includes the following operations. 

(1) The user-B (PAT member) generates PAT<AID- 
Nuii I AIDb > by executing the above described 45 
exemplary processing (1) involving the Null-AID at 
the secure PAT processing device which is con- 
nected with the terminal of the user-B, and gives it 

to the user-A (PAT holder) by arbitrary means. 

(2) The user-A who received F^cAID^,, | AID B > so 
carries out the following operations at the secure 
PAT processing device which is connected with the 
terminal of the user-A. 

(a) PATcAIDnu,, I AID A > is produced by execut- 55 
ing the above described exemplary processing 

(1) involving the Null-AID 

(b) PAT<AID A I AID B > is produced by execut- 



ing the above described exemplary processing 
(3) involving the Nun- AID. 

(3) The user-A gives the generated PAT<AiD A | 
AID B > to the user-B by arbitrary means. 

[0232] Note that the memod for cfetemrening the valid- 
ity period is the same as described above so that it win 
not be repeated here Abo, the processing involving the 
Null-AID is the same as described above so that it will 
not be repeated here. 

[0233] In the case of giving PAT<AID Null | AID A , AID B 
> to the user-B, the above described exemplary 
processing (2) involving the NuS-AID wiO be executed in 
the operation (2) described above. 
[0234] Next, the second exemplary application of this 
third embodiment will be deserved with reference to 
Rg. 28. which includes the following operations. 

(1) The user-B (PAT member) produces PAT <AfD- 
Nuu I AiD B > by executing foe above described 
exemplary processing (1) involving the Nifl-AID at 
the secure PAT processing device which is con- 
nected with the terminal of the user~B, and registers 
it along arbitrary Disclosed information at the ADS. 

(2) The user-A produces PAT^ID^ | AlD A > by 
executing the above descrfoed exemplary process- 
ing (1) involving the Null-AID at the secure PAT 
processing device which is connected with the ter- 
minal of the user-A, and presents it along arbitrary 
search corxfitions to the ADS. 

(3) When the personal i nfo rm at io n of the user-B 
satisfies the search conditions presented by tie 
user-A, the secure PAT processing device con- 
nected with the ADS carries out thefoltowtng oper- 
abons- 

(a) PAT<AID NlJ | | AID Al AIDb > is produced by 
executing the above described exemplary 
processing (2) involving the NUI-AID. 

(b) The produced PAT<AID Nu! | AID A , AID B > is 
given to the ADS. 

(4) The ADS gives PAT<AtD Nu , | AID A . AIDb > pro- 
duced by the PAT processing device to the user-A. 

(5) The user-A who received PAT<AID Nuti j AID A , 
AID B > produces PAT<AID A | AID B > by executing 
the following TransPAT processing at the secure 
PAT processing device which is connected with the 
terminal of the user-A. 

PAT^ID^ I AID A > + PAT<AID^ | AID A , 
AID B > 

+ Enabler of AID Nu) , + Enabler of AID A 
PAT<AID A | AIDg >. 
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[0235] Note that the method for determining the valid- 
ity period is the same as ctescrtoed above so that H will 
not be repeated here Also, the processing involving the 
Null-AtD is the same as descrfoed above so that it will 
not be repeated hera 

[0236] In the case of generating PAT<AJD A | AID B > at 
the PAT processing device connected with the ADS, 
EnabJer of AID A will be given to that PAT processing 
device, and the above described exemplary processing 
(3) involving the Null-AtD wHI be executed in the opera- 
tion (3) descrtoed above 

[0237] In the case of generating PAT<AID B | A1D A > at 
the PAT processing device connected with the ADS and 
giving it to the user-B, Enabler of AID B will be given to 
that RAT processing device, and the above described 
exemplary processing (3) involving the Null-AID wis be 
executed in the operation (3} described above. 
[0238] Next, with references to Rg. 29 to Rg. 31. the 
fourth embodiment of the emafl access control scheme 
according to the present invention will be described in 
detail. 

[0239] In the group com muni catxxi, a situation where 
it is desired to fix the participants is frequently encoun- 
tered, but the above described embodiment does not 
have a function for making it impossible to change the 
PAT so that the participants cannot be fixed Namely, in 
the above described embodiment whether or not to fix 
the participants is left to the judgement of the holder of 
the PAT 

[0240] For this reason, in this fourth embodiment, a 
read only attribute is set up in the PAT More specifically, 
in this fourth embodiment the read only attribute is set 
up in the PAT by using God-AID (AIDq^. 
[0241] Here, the processing involving the God-AID 
obeys all of the following rules: 

(a) God-AID is known to every user, and 

(b) the processing involving God-AID is allowed 
only in the following cases: 

(i) a case where the AID^^ is neither AID Nuj} 
nor AIDooj: 

PAT<AID hokjGf | AID^entjen, AID mGmbof2 , 
• AIDroami^N > + Enabler of 

AlD hoUer 

-» PAT<AID god | AIDnoKfcp AlD^roberi, 
A l D memb<*2. A,D m©mb©fW > 

(ii) a case where AID hotcter is AID Null : 

PAT<AID NuS | AlDmemben. AID^t^, 
- ^DmemberN > 

+ EnabJer of AID^h 

-* PAT<AID god | AIDroembe,,, AID^^^, 



• AIDmg,,^^ > 

[0242] As shown in Rg. 29, the data structure of the 
God-AID comprises a character string uniquely indicat- 
ing that it is God-AID (a character string defined by the 
CA, for example), which is signed by the CA using the 
secret key of the CA. The God-AID is maintained at the 
secure PAT processing devices and the secure PAT cer- 
tification authority described above. 
[0243] The processings of a PAT mat contains the 
Null-AID are according to Rg. 21 to Rg. 24. When the 
holder AID is neither Null-AID nor God-AID, the God- 
AID is appended to the AID list and the holder index 
value is specified to be a position of the God-AID in the 
AID list after appending the God-AID. When the holder 
AID is Nutt-AiD, the NuS-AlO is deleted from the AID fist 
the God-AID is appended to the AID list, and then the 
holder index value is specified to be a position of the 
God-AID in the AID fist after appending the God-AID. 
[0244] Next the exemplary app&catfon of this fourth 
errtxx&Tterrt wifl be descrtoed with reference to Rg. 30. 
[0245] In the case of producing RfflVAlDo,*, | AID A , 
AID B > from PAl^AID^ | AfD A > and FOT<AID NuD | 
A!D B >, the following processing ts executed at the 
secure PAT processing device which is connected with 
the terminal of the PAT holder (user-A in Rg. 30). 

(1) Us^MergePAT, 

PAT<AID^, | AID A > + PAT<A!D NuJI | AIDb > 
+ Enabler of AID,^ 

FWT<AID Nul | AID A . AIDq >. 

(2) According to the above described rute (a) of the 
God-AID. AIDood is known. 

(3) According to the above described rule (b)(0) of 
the God-AID. 

PATcAID^, | AID A . AID B > + Enabler of AID Nufl 

-> FOTVAIDgod | AID A . AID B > 

[0246] The above processing is also executed at the 
secure RAT processing device connected with a compu- 
ter (search engine, etc.) of the third person (Rg. 31) or 
at the secure RAT certification authority. 
[0247] Next with reference to Rg. 32, the fifth embod- 
iment of the email access control scheme according to 
the present invention will be described in detail. 
[0248] When the Null-AID is added as descrtoed in the 
third embodiment there arises a problem that it 
becomes possible for the holder of the PAT (the user of 
the holder AID) to transfer the access right with respect 
to the member (the user of the member AID) to the third 
person, and moreover this transfer can be done without 
a permission of the member, as will be described now. 
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(1) The holder-A of PAT<AID A | AID B > (for the 
member-B) produces PAT<A!D Nul | AIDb > by using 
PAT<AID A | AJDq >, AID A and Enabler of A!D A . 
Here, it is assumed thai Ihe hoWer-A knows afl of 
AID A , Enabler of AID A . AID^, and Enabler of AID- 
Nu ii in addition to PAT<AID A | AID B >. 

(a) The holder-A produces PAT<AID A | AID NuD 

> using the MakePAT as follows. 

AID A + AID NU |, + Enabler of AID^i + Ena- 
Wer of AID A 

->PAT<AID A |AID Nu „> 

(b) The hoWer-A produces PAT<AIDn u „ | AID b 

> using the TransPAT as follows. 

PAT<AID A | AID B > + PAT<AID A | AID NuU > 
+ Enabler of AID A + Enabler of AID Nu « 
PAT<AIDn u h I AIDb > 



After the above described operation (l)(b). the 
holder-A gives PAT<AID NuS | AID B > to the third per- 
son-C, the following operation (2) becomes possi- 
ble. 

(2) The third person-C produces PATcAlDe | AIDb > 
by using PA^cAID,^ | AID 8 >. Here, it is assumed 
that the third person-C knows ail of AID 0 Enabler 
of AID 0 AID Nua . and Enabler of AJD Nlrf i in addition 
to PAT^IDn^i I AIDb >. 

(a) The third person-C produces PAT<AIDn u « I 
AID C > using the MakePAT as follows. 

A * D Nui + A * D c + Enabler of AID C + Ena- 
bler of AIDnuq 

PAT^Dnu,, j AID C > 

(b) The third person-C produces PAT<AID C | 
AID B > using the TransPAT as follows, 

PAT<AID Nua I AID B > + PAT<AID Nufl | AID C 
> 

+ Enabler of AID Nu1I + Enabler of AID C 

->PAT<AID C |AID B > 

[0249] As a result of the above described operation 
(2)(b), the third person-C obtains PAT<AID C | AID B > so 
that accesses to the member-B become possible. 
[0250] For this reason, in this fifth embodiment it is 
made impossible for the holder of PAJkAID^^ | AID- 



roember > to produce PAT^IO^ | AID^,,^ > from tflis 

PAT^IDhoto | AID member > as long as the holder does 

not know Enabler of AiD^e^p 

[0251] In the third embodiment described above, in 

s order for the RAT holder to produce PAT<AIDn u h | AID- 
menter > without using Enabler of MO m0tri)ep it is neces- 
sary to produce RATcAiDhcue, | AIDn uI >. 
[0252] To this end, in this fifth errtxxfiment for the 
Nufl-AID described in the third embocfiment the follow- 

70 ing rule is added: 

* the Nu&-AID can be used only as the holder AID of 
the PAT (the NuO-AlD cannot be used as the mem- 
ber AID). 

is That is. PAlVAID^g | AID,,^,^. AID nwmbe ^ t 

Aro membe^l > ® allowed, but 

PATcAIDhojder I AID,^, AID mefrt) e r1i AID member2# 

AlDmemberN > « not allowed. 

Each of the secure PAT processing devices and 
20 the secure PAT certification authority is additionally 
equipped with a function tor checking whether frie 
Nufl-AID is contained as the member AID or not 
This member AID checking processing is carried 
out according to Fig . 32 as fofiows. 

25 

(1) NuD-AID and PAT are entered (step S6911). 

(2) All the member AIDs are taken out from the 
PAT entered at the step S691 1 (step S6913). 

(3) Each of flie taken out member AIDs is conv 
30 pared with the Nuli-AtD entered at the step 

S6911 (step 96915). 

If all tiie member AIDs do not completely match 
with the Nufl-AID (step S6917 NO, step S6919 NO). 
35 tie processing proceeds to the MergePAT, SptttPAT 
or TransPAT processing (Fig. 21 or Fig. 22) (step 
$6921) 

If there is a member AID that completely 
matches with the Nufl-AID (step $6917 YES), the 
<o processing is terminated. 

10253] Next with reference to Fig. 33 to Fig. 39, the 
sixth embodiment of the email access control scheme 
according to the present invention w3l be described in 
45 detail. 

[0254] This sixth embodiment differs from the first 
embodiment described above in that a link information 
is added to the AID of Fig. 2 used in the first embodi- 
ment as shown in apart (b) of Fig. 34, while a link infor- 
50 mati on of ihe AID is set instead of the AID itself that is 
contained in the 1-to-1 PAT of Fig. 2, as shown in a part 
(c) of Fig. 34. such that the AID is uniquely identified by 
the link information. 

[0255] Note that such an AID to which the link infor- 
55 mati on is added will be referred to as a link information 
attached AID. and a 1-to-1 PAT having the link informa- 
tion of the AID will be referred to as a link specifying 1- 
to-1 PAT. Ateo, the link information is an information 
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capable of uniquely identifying the AID, which is given 
by a kind of data generally known as identifier such as a 
serial number uniquely assigned to the AID by the CA 
for example. 

[0256] Fig. 33 shows an overall configuration of a 
communication system in this sixth embodiment. 
10257] In Fig. 33, the CA (Certif ication Authority) 1 has 
a right to authenticate OlDs and a right to issue AIDs, 
and functions to allocate AIDs to users 3. 
[0258] "The SCS (Secure Communication Service) 5 
transfers emails among the users 3. carries out the 
receiving refusal and the identity judgement and the 
extraction of the OID according to the need. 
[0259] The ADS (Anonymous Directory Service) 7 is 
a database for managing the AID. the transfer control 
flag value, the validity period value, and the disclosed 
information of each user 3. The ADS 7 has a function to 
generate the PAT from tfie AID of a searcher and the 
AID of a registrant who satisfies the search conditions, 
and issue it to the searcher. 

[0260] A series of processing from generating the AID 
from the OID according to a request from a user until 
allocating the AID to that user is basically the same as 
in the first embodiment except that the link information 
is to be added, which wiD now be described with refer- 
ence to Fig. 34. 

[0261 ] Fig. 34 shows exemplary formats of the OID, 
the link information attached AID, and the link specifying 
1 -to-1 PAT As shown in a part (a) of Fig. 34. the OID is 
an information comprising an arbitrary character string 
according to a rule by which the CA 1 can uniquely "iden- 
tify the user and a public key. which is signed by the C A 
1. 

[0262] Also, as shown in a part (b) of Fig. 34, the link 
irrformalion attached AID is an information comprising 
fragments of the OID and their position information, 
redundant character strings, an SCS information given 
by an arbitrary character string (host name, real domain 
name, eta) by which a host or a domain that is operat- 
ing the SCS 5 can be uniquely identified on the network, 
and the link information, which is signed by the CA 1 . 
[0263] Also, as shown in a part (c) of Fig. 34, the link 
specifying 1 -to-1 PAT is an information comprising the 
transfer control flag, the link information of AID0, the link 
information of AID,, and the validity period, which is 
signed by the ADS 7 using a secret key of the ADS 7. 
[0264] A procedure by which the user 3 requests the 
link irifbrmation attached AID to the CA 1 is the same as 
that of the first embodiment. A procedure by which the 
CA 1 issues the link information attached AID to the 
user 3 in response to a request for the AID is also the 
same as that of the fa-st embodiment. 
[0265] Next the link information attached AID gener- 
ation processing at the CA will be described with refer- 
ence to Fig. 35. 

[0266] In the procedure of Fig. 35, the CA 1 generates 
an information of a length equal to the total length L of 
the OID, and sets this information as a tentative AID 



(step S7211). Then, in order to carry out toe partial cop- 
ying of the OID, values of parameters p, and l % for spec- 
ifying a copying region are determined using arbitrary 
means such as random number generation respectively 

5 (step S721 3). Here, Lis equal to the total length Lot the 
OID. and 4 is an arbitrarily defined value within a range 
in which a relationship of 0 £ t x s L note. Then, an infor- 
mation in a range between a position pj to a position & 
+ /j from the top of the OID is copied to the same posi- 

;c tkms in the tentative AID (step S7215). In other words, 
this OID fragment wil be copies to a range between a 
position pj and a position pj + 4 from the top of the ten- 
tative AID. Then, the values of pj and 4 are written into a 
prescribed range in the tentative AID into which the OID 

is has been partially copied, in a form encrypted by an 
arbitrary means (step S7217). Then, an SCS informa- 
tion given by an arbitrary character string (host name, 
real domain, etc.) that can uniquely identify a host or a 
domain that is operating the SCS 5 on the network is 

20 written into a prescribed range in the tentative AID into 
which these values are written (step S7219). Then, me 
fink information e written (step S7220). Then, the tenta- 
tive AID into which the above character string and the 
fink information are written is signed using a secret key 

25 of the CA 1 (step S7221). 

[0267] Next a procedure for registering the AID of a 
user-B 3 and the cSsdosed information into the ADS 7 
wifl be described- Rrst the bkfrectkxiat authentication 
by arbitrary means using the AiD of the user - B 3 and the 

30 certificate of the ADS 7 is carried out between the user- 
B 3 who is a registrant and the ADS 7. Then, the user-B 
3 transmit s the transfer control nag value, the vafidity 
period value, and the cfisctosed information such as 
interests to the ADS 7. Then, the ADS 7 stores the 

35 transfer control flag value, the valkfity period value, and 
the entire cSsdosed information in relation to the AID of 
the user-B 3 in its storage device. Here, there can be 
cases where communications between the user-B 3 
who is the registrant and the ADS 7 are to be encrypted. 

4Q [0268] Next, a procedure by which a user-A 3 
searches through the disclosed information that is reg- 
istered in the ADS 7 will be descrfced. First, the bidirec- 
tional authentication by arbitrary means using the AID of 
the user-A 3 and the certificate of the ADS 7 is carried 

4s out between the user-A 3 who is a searcher and the 
ADS 7. Then, the user-A 3 transmits arbitrary search 
conditions to the ADS 7, Then, the ADS 7 presents all 
the received search conditions to its storage device, and 
extracts the AID of a registrant which satisfies these 

so search conditions. Then, the ADS 7 generates the Gnk 
specifying 1-to-1 PAT from the link information of the 
AiD of the user-A 3 and the link information of the AID of 
the registrant who satisfied the search conditions, the 
transfer control flag value, and the validity period value. 

55 Then, the ADS 7 transmits the generated PAT to the 
user-A 3. Here, there can be cases where communica- 
tions between the user-A 3 who is a searcher and the 
ADS 7 are to be encrypted. Note that the link specifying 
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1 -to-1 PAT is generated as a search result of the ADS 7. 
[0269] Next the fink specifying 1 -to- 1 PAT generation 
processing at the ADS 7 w81 be described with refer- 
ence to Fig. 36. 

[0270] First an information of a prescribed length is s 
generated, and this information is set as a tentative PAT 
(step S7510). Then, the link information of the AID of 
the user-A 3 who is a searcher and the link information 
of the AID of the user-B 3 who is a registrant are copied 
into a prescribed region of the tentative PAT (step w 
S7516). Then, the transfer control flag value and the 
validity period value are written into respective pre- 
scribed regions of the tentative PAT into which the link 
informations of the AIDs are copied (step S751 7). Then, 
the tentative PAT into which these values are written is is 
signed using a secret key of the ADS 7 (step S7519). 
[0271] Next the transfer control using the ink specify- 
ing 1-to-1 PAT will be descrbed. The transfer control is 
a function for limiting accesses to a user who has a 
proper access right from a third person to whom the PAT 20 
has been transferred or who has eavesdropped the RAT 
(a user who originally does not have the access right). 
[0272] The ADS 7 and the user-B 3 of the registrant 
AID can prohtoit a connection to the user-B 3 from a 
third person who does not have the access right by set- 25 
ting a certain value in to the transfer control flag of the 
PAT 

[0273] When the transfer control flag value is set to be 
1, the senders AID is authenticated between the SCS 5 
and the sender according to an arbitrary chat- 30 
lertge/response process, so that even rf the sender 
gives both the sender's AID and the PAT to another user 
other than the sender, that another user will not be able 
to make a connection to the registrant of the ADS 7 
through the SCS 5. 35 
[0274] On the other hand, when the transfer control 
flag value is set to be 0, no challenge/response process 
wiU be earned out between the SCS 5 and the sender, 
so that H the sender gives both the senders AID and the 
PAT to another user other than the sender, that another 40 
user will also be able to make a connection to the regis- 
trant of the ADS 7 through the SCS 5. 
[0273] Next, the email access control method at the 
SCS 5 will be described with reference to Fig. 37. 
[0276] The sender specifies Tsenders AID]@[real 45 
domain of SCS of sender]" in Rom: line, and 
"[PAJ]@[real domain of SCS of sender]" in To: lina 
[0277] The SCS 5 acquires a mail received by an MTA 
(Message Transfer Agent) such as SMTP (Simple Mail 
Transfer Protocol), and executes the processing of Fig. so 
37 as follows. 

(1) The signature of the RAT is verified using a pub- 
lic key of the ADS 7 (step S7713). 

When the PAT is found to have been altered 55 
(step S7715 YES), the mail is discarded and the 
processing is terminated (step S7716). 

When the PAT is found to have been not altered 



(step S7715 NO), the following processing (2) is 
executed. 

(2) The search is carried out by presenting the link 
information of the sender's AID to the RAT (steps 
S7717.S7720.S7722). 

When a Bnk information thai completely 
matches with the link information of the sender's 
AID is not contained in the PAT (step S7723 NO), 
the mail is discarded and the processing is termi- 
nated (step S771 6). 

When a Bnk information that completely 
matches with the link information of the sender's 
AJD is contained in the PAT (Step S7723 YES), the 
following processing (3) is executed. 

(3) The validity period value of the PAT is evaluated 
(steps S7725, S7727). 

When the PAT is outside the validity period 
(step S7727 NO), the mail is discarded and the 
processing is terminated (step S7716) 

When the PAT is within the validity period (step 
S7727 YES), the following processing (4) is exe- 
cuted. 

(4) Whether or not to authenticate the sender is 
determined by referring to the transfer control flag 
value of the PAT (steps S7731. S7733). 

When the value is 1 (step S7733 YES), the 
SCS 5 acquires the sender's AID itself and the pub- 
lic key of the sender's AID by presenting the link 
information to the CA l, and then the chal- 
lenge/response authentication between the SCS 5 
and the sender is earned out and the signature of 
the sender is verified (step S7735). When the sig- 
nature is vafid, the recipient is specified and the PAT 
is attached (step S7737) When the signature is 
invaSd, the mad is discarded and the processing is 
terminated (step S7716). 

When the value is 0 (step S7733 NO), the 
recipient is specified and the PAT is attached with- 
out executing the challenge/response authentica- 
tion (step S7737). 

[0278] The challenge/response authentication 
between the SCS 5 and the sender is the same as that 
for the 1 -to-1 RAT described above. 
[0279] Next a method for specifying the recipient at 
the SCS 5 will be described. First, the SCS 5 carries out 
the search by presenting the link information of the 
sender's AID to the PAT, so as to acquire all the link 
informations which do not completely match the link 
information of the sender's AID. Then, tie search is car- 
ried out by presenting all these acquired fink informa- 
tions to the CA 1 so as to acquire the AIDs. All these 
acquired AIDs wfll be defined as recipient's AIDs here- 
after. Then, for every recipient s AID, the real domain of 
SCS of recfaient is taken out from the recipient's AID. 
Then, the recipient is specified in a format of "[recipi- 
ent's AIDK§>[real domain of SCS of recipientf. Finally, 
the SCS 5 changes the sender from a format of 
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Isenders AID]@[real domain of SCS of sender]" to a 
forma! of "sender's AID', 

[0280) The method tor attaching the PAT at the SCS 5 
is the same as that for the 1 -to-1 PAT described above. 
[0281] Next a method of receiving refusal with s 
respect to the PAT at the SCS 5 will be described. 
[0282] Receiving refusal setting: The bkfirectional 
authentication is carried out by an arbitrary means 
between the user and the SCS 5. Then, the user trans- 
mits a registration command, his/her own AID, and arbt- 10 
trary PATs to the SCS 5. Then, the SCS 5 verifies the 
signature of the received AID. ff the signature is invalid, 
the processing of me SCS 5 is terminated- If the signa- 
ture is valid, me SCS 5 next verifies the signature of 
each received PAT using a public key of the ADS. Those is 
PATs with the invalid signature are discarded by the 
SCS 5. When the signature is valid, the SCS 5 takes out 
the link information from the received Al D, and then car- 
ries out the search by presenting the taken out link infor- 
mation to each PAT. For each of those PATs which 20 
contain the link information that completely matches 
with the link information of the received AID, the SCS 5 
presents the registration command and the PAT to the 
storage device such that me PAT is registered into the 
storage device Those PATs which do not contain the 25 
link information that completely matches with me link 
information of me received AID are discarded by the 
SCS 5 without storing them into the storage device 
Here, there can be cases where commurucsriions 
between me user and the SCS 5 are to be encrypted. 30 
[0283] Receiving refusal execution: The SCS 5 carries 
out the search by presenting me PAT to me storage 
device. When a PAT that completely matches me pre- 
sented PAT is registered in me storage device, me mail 
is discarded. When a RAT that completely matches the ss 
present PAT is not registered in me storage device, the 
mail is not discarded 

[0284] Receiving refusal cancellation: The bidirec- 
tional authentication is carried out by an arbitrary 
means between me user and me SCS 5. Then, me user 40 
presents his/her own AID to the SCS 5. Then, the SCS 
5 verifies the signature of me received AID. H the signa- 
ture is invalid, me processing of me SCS 5 is termi- 
nated. If me signature is valid, me SCS 5 next takes out 
me link information from the presented AID. and 45 
presents me taken out link information as a search con- 
dition to me storage device and acquire all me PATs that 
contain me presented fink information, and men 
presents ail me acquired PATs to the user. Then, the 
user selects all me PATs for which me receiving refusal so 
is to be cancelled by referring to all me PATs presented 
from me SCS 5, and transmits all me selected PATs 
along with a deletion command to me SCS 5. Upon 
receiving me deletion command and all the PATs for 
which me receiving refusal is to be cancelled, the SCS 55 
5 presents me deletion command and all me PATs 
received from me user to me storage device, such that 
aB me received PATs are deleted from the storage 



device 

[0285] Note that me method of receiving refusal with 
respect to the link specifying 1 -to-N PAT at the SCS 5 is 
me same as the method of receiving refusal with 
respect to the link specifying 1-to-1 PAT described 
above. 

[0286] Next the judgement of identity wffl be 
described with reference to Rg. 38 and Fig. 39. 

(1) An initial value of a variable OlDy is defined as 
a bit sequence with a length equal to the total length 
L of the OID and ail values equal to "0". Also, an ini- 
tial value of a variable OlDy is defined as a bit 
sequence with a length equal to the total length of 
me OID and aS values equal to TT (step S791 1 ). 

(2) One link information attached AID is selected 
from a set of processing target link information 
attached AlDs, and the following bit processing is 
carried out (step S791 3). 

(a) Values of variables AID M and AlDy are 
determined accortfing to the posrfidn informa- 
tion contained in the Bnk information attached 
AID (step S7915). Here. AID M is defined as a 
bit sequence with a length equal to the total 
length L of the OID and a value of a position at 
which the OID information is defined is "1" 
while a value of a position at which the OID 
information is not defined is TT (see Fig. 39). 
Also, AiDy is def ined as a bit sequence with a 
length equal to the total length L of the O© and 
a value of a position at which the OID informa- 
tion is defined is an actual value of the OID 
i nformat io n while a value of a position at which 
the OID information is not defined is 0 (see Fig. 
39). 

(b) AND processing of OIDm and AID M ts car- 
ried out and its result is substituted into a varia- 
ble Ov*R M (step S7917). 

(c) AND processing of OVRm and AID M as well 
as AND processing of OVR M and 01D M are 
carried out and their results are compared 
(step S7919). When they coincide OR 
processing of 01D M and AID M is carried out 
and its result is substituted into OID M (step 
S7921), while OR processing of OlDy and AIDv 
is also carried out and its result is substituted 
into OlD M (step S7923). On me ether hand, 
when they do not coincide, the processing pro- 
ceeds to me step S7925. 

(d) A link information attached AID to be proc- 
essed next is selected from a set of processing 
target link information attached AIDs. When at 
least one another link information attached AID 
is contained in me set, the steps S7913 to 
S7923 are executed tor mat another link infor- 
mation attached AID. When no other link infor- 
mation attached AID is contained in me set, me 
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processing proceeds to the step S7927. 

(e) Values of 0ID M and OlDy are outputted 

(step S7927). 

[0287] The value of OIDm that is eventually obtained 5 
indicates all positions of the OID information that can be 
recovered from the set of processing target fink informa- 
tion attached AIDs. Also, the value of OlDy that is even- 
tually obtained indicates all the OID information that can 
be recovered from the set of processing target link irrfor- w 
nation attached AID. in other words, by using the val- 
ues of OID u and OlDy. it is possible to obtain the OID 
albeit probabilistically when the value of OlDv is used as 
a search condition, and it is possible to quantitatively 
evaluate a precision of the above search by a ratio is 
OIDm/L with respect to the total length L of the OID. 
[0288] As described above, in this sixth ernborJment, 
the CA 1 which is a Trusted Third Party with high 
secrecy and credbt&ty generates the link information 
attached AID in which the personal information is con- 20 
ceated, from the OID that contains the highly secret per- 
sonal information such as name, telephone number, 
real email address, etc.. according to a user request 
and issues the AID to the user. By identifying the user 
by this AID on the communication network as well as in 25 
various services provided on the communication net- 
work, it becomes posstole to provide both the anonymity 
guarantee and the identity guarantee for the user. In 
other words, rt becomes possible for the user to commu- 
nicate with another user without revealing the own real so 
name, telephone number, email address, etc., to that 
another user, and it also becomes possible to disclose 
the disclosed information to unspecified many through 
the ADS 7 as will be described below. 
[0289] "The user registers the dsctosed information, 35 
that is an information which is supposed to have a low 
secrecy compared with the personal information at the 
ADS 7. in fiie case of searching the disclosed informa- 
tion and the registrant AID, the searcher presents the 
link information attached AID of the searcher and arbt- 40 
trary search conditions to the ADS 7. The ADS 7 then 
extracts the registrant link information attached AID that 
satisfies these search conditions, and generates the link 
specifying Ho-1 PAT from the fink information of the 
AID of the searcher and the link information of the AID 45 
of the registrant who satisfied the search conditions, the 
transfer control flag value, and the validity period value. 
[0290] In this link specifying 1-to-1 PAT. me transfer 
control flag value and the validity period value are set as 
shown apart (c) of Fig. 34, and by setting up this validity so 
period in advance, it is posstole to Bmtt connections from 
the sender. 

[0291 ] K is also possible to prohibit connections from 
a third person who does not have the access right by 
using the transfer control flag value. Namely, when the 55 
transfer control flag value is set to be 1, the sender's 
AID is authenticated between the SCS 5 and the sender 
according to an arbitrary challenge/response process, 



so that even if the sender gives both the sender's AID 
and the PAT to another user other than the sender, that 
another user will not be able to make a connection to 
the registrant of the ADS 7 through the SCS 5. On the 
other hand, when the transfer control flag value is set to 
be 0, no challenge/response process wffl be carried out 
between the SCS 5 and the sender, so that 'rf the sender 
gives both the sender's AJD and the PAT to another user 
other than the sender, that another user wffl also be able 
to make a connection to the registrant of foe ADS 7 
through the SCS 5. 

[0292] It rs also possible to make a connection request 
to the comnxjnicatHxi network such that a call for which 
the recipient is specified by the link specifying 1-to-1 
RAT will be received by the recipient's AID or the 
sender's AID specified by the link infor ma ti on of the link 
specifying 1-to-1 PAT In addition, it is also posstole to 
refuse receiving calls with the link specifying 1 -to-1 PAT 
selected by the recipient among calls which are speci- 
fied by the fink specifying 1-to-l ROT. It is also posstole 
to cancel toe receiving refusal of toe caDs with the Bnk 
specifying 1-to-1 RAT selected by the recipient In adop- 
tion, as a measure against the sender who repeats the 
personaJ attack using a plurality of sender's AIDs by tak- 
ing an advantage of the anonymrty, it is possible to judge 
the identity of the OID from these plurality of sender's 
AIDs and it is possible to extract that OID at some prob- 
abifity. 

[0293] Next with references to Fig. 40 to Fig. 48. the 
seventh embodnnent of the email access control 
scheme according to the present invention win be 
described in detal 

{0294] fn contrast to the sixth erttoodiment described 
above which is directed to the case where a sender and 
a recipient are set *m l-tr>i conespondence, this sev- 
enth enxxxiirnent is directed to the case where a sender 
and recipients are set in 1-to-N conespondence and a 
generation of a new link specifying 1-to-N ROT and a 
content change of the exisfing link specifying 1 -to-N PAT 
can be made by the initiative of a user, similarly as in the 
second embodiment described above. Here, the sender 
is either a holder of the PAT or a member of the PAT. 
Similarly, toe recipient is either a holder of the PAT or a 
member of the PAT. 

[0295] As descrtoed to the second ernbocfimerrt, in 
general, a membership of a group comrrxjni cation (mail- 
ing Dst, etc.) is changing dynamicaJy so that it is neces- 
sary for a host of the group communication to manage 
information on a point of contact such as telephone 
number, email address, etc., of each member. In con- 
trast in the case where it is possible to newly generate 
a 1-to-1 PAT as in the sixth embodiment, the manage- 
ment of a point of contact is orfficurt For example, it is 
difficult to manage the group collectively, and even rf it is 
given to the others for the purpose of the transfer con- 
trol, it does not function as an address of the group com- 
munication such as mailing fist. 
[0296] In this seventh embedment, in order to resolve 
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such a problem, it is made possible to carry out a gen- 
eration of anew link specifying 1-to-N PAT and a content 
change or the existing link specifying 1-to-N RAT by the 
initiative ol a user. 

[0297] First the definition of various identifications 
used in this seventh embodiment will be descrfoed with 
references to Fig. 40 and Fig. 41 . 
[0298] As shown in a part (a) of Fig. 40. the OID is an 
information comprising an arbitrary character string (tel- 
ephone number, email address, etc.) according to a rule 
by which the CA 1 can uniquely identify the user and a 
public key, which is signed by the CA 1. 
[0299] Ateo, as shown in a part (b) of Fig. 40, the link 
mformation attached AID is an information comprising 
fragments of the OID and their position information, 
redundant character strings, an SCS information given 
by an arbitrary character string (host name, real domain 
name, etc) by which a host or a domain that is operat- 
ing the SCS 5 can be uniquely identified on the network, 
and a link information, which is signed by the CA 1 . Note 
that the AID may be encrypted at the SCS 5 or the CA 
1. The link information is the same as in the sixth 
embodiment 

[0300] Also, as shown in a part (c) of Fig. 40, the link 
specifying 1-to-N PAT is an information comprising two 
or more fink informations of AIDs, a holder index, the 
validity period, the transfer control flag, and a PAT 
processing device identffter, which is signed using a 
secret key of the PAT processing device. 
[0301 ] Here, one of the link informations of AIDs is the 
link information of the holder AID of this PAT, where the 
change of the information contained in the PAT such as 
an addition of the link information of AID to the PAT, a 
deletion of the link information of AID from the PAT, a 
change of the valicfity period in the PAT, a change of the 
transfer control flag value in the PAT, etc., can be made 
by presenting the link information of the holder AID and 
a corresponding Enabler to the PAT processing device. 
[0302] On the other hand, the link informations of AIDs 
other than the link information of the holder AID that are 
contained in the PAT are all link information of member 
AIDs. where a change of the information contained in 
the PAT cannot be made even when the link in fo rm a t i on 
of the member AID and a corresponding Enabler are 
presented to the PAT processing device. 
[0303] The holder index is a numerical data for identi- 
fying the link information of the holder AID. which is 
defined to take a value 1 when the fink information of the 
holder AID is a top link information of AID in the link 
specifying AID list formed from the link information of 
the holder AID and the link informations of the member 
AIDs, a value 2 when the link information of the holder 
AID is a second link information of AID from the top of 
the link specifying AID list or a value n when the link 
information of the holder AID is an n-th link information 
of AID from the top of the link specifying AID list. 
[0304] The transfer control flag value is defined to take 
either 0 or 1 similarly as in the case of the link specifying 



1-to-l PAT 

[0305] The fink irrformation of the holder AID is defined 
to be a link infor m a t ion of AID which is written at a posi- 
tion of the holder index value in the fink specifying AID 

5 fist. The fink rnformations of the rnernber AIDs are 
defined to be all the link informations of AIDs other than 
the link irrformation of the holder AID. 
[0306] The vafidrty period is defined by any one or 
combination of the number of times for which the PAT is 

10 available, the absolute time (UTC) by which the PAT 
becomes unavailable, the absolute time (UTC) by which 
the PAT becomes available, and the relative time (life- 
time) since the RAT becomes available until it becomes 
unavailable 

15 [0307] The identifier of a PAT processing device (or a 
PAT processing object on ttie network) is defined as a 
serial number of the PAT processing device (or an dis- 
tinguished name of the PAT processing object on the 
network). The secret key of the PAT processing device 
20 (or the PAT prxrassing object on then 

to be uniquely corresponcfing to the identifier. 
[0308] Also, in this second enfooCfiment, an Enabler is 
rntroduced as an identifier corresponding to the AID. As 
shown in Fig. 41, the Enabler is an information compris- 
es inga character string uniquely indicating that it is an 
Enabler and a link information attached AID itself, which 
is signed by the CA1. 

[0309] Next, the operations for a generation of a new 
RAT and a content change of the existing PAT w3l be 

so descrtoed. Here, tiie following operations are defined at 
a secure RAT p rocess i n g device on the cornmunfoation 
terminal or a RAT processing object on the CA or on a 
network which is property requested from the CA (which 
win also be referred to as a RAT processing device here- 

35 after). These operations are similar to those of the sec- 
ond embodiment descnbed above so that they will be 
described by referring to Rg. 10 to Fig. 13 but it is 
assumed that each occurrence of AID in Fig. 10 to Rg. 
13 should be replaced by the fink irrformation of AID in 

40 the following. 

1. Editing of fink specifying AID fist: 

A link specifying AID list, which is a fist of fink 
irrformations of AIDs contained in the PAT, is edited 
45 using link information attached AIDs and Enabler. 
Bse, the fink specifying AD fist is newly generated. 

2. Setting of the validity period and the transfer con- 
trol flag: 

The validity period value and the transfer con- 
so tret flag value contained in the PAT are changed 
using a fink information attached AID and Enabler. 
Ateo, a new validity period value and a new transfer 
control flag value are set in the newly generated link 
specifying AID fist 

£5 

[031 0] A user who presented the holder AID and the 
Enabler corresponding to this holder AID to the PAT 
processing device can edit the list of fink informations of 
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AIDs contained in the PAT. In this case, the following 
processing rules are used. 

(1) Generating a new PAT (MakePAT) (see Fig. 10): 

The link specifying AID fist (LAL- 
IST<(Gnk)holder AID | (linkjmernber AID,, 

(link)member AID* , flintyrnember 

AID n >) where (link)AlD x denotes the link informa- 
tion of AID X is newly generated, and the validity 
period value and the transfer control flag value are 
set with respect to the generated LAUST. 

(link)AID A + (link)AID B + Enabler of AID B 

+ Enabler of AID A 

LALIST<Unk)AID A | (linkJAIDg > 

LALIST<(link)AlD A ( (Hnk)AID B > + Enabler of 
AID A 

+ valicSty period value 
+ transfer control flag value 
-> PAT<(fink)AlD A | (link)AID B > 

(2) Merging PATs (MergePAT) (see Fig. 1 1): 

A plurality of LAJJSTs of the same holder AID 
are merged and the validity period value and the 
transfer control flag value are set with respect to the 
merged LAUST 

LALlST<(link)AID A | (link)AID B1 . (lin^AlD^,, 
••••••••> 

+ LAUST<(iink)AID A | (link)AID c1 . (link)AIDc2, 
> 

+ Enabler of AID A 

LALlST<link)AID A | (link)AlD B1 , (linkJAID^. 

(link)AID c1 . {fink)AIDc2. 

> 

LALlST<(lirtk)AID A | (link)AID B1( (ijnKJAID^, 
(link)A!D C i, (fink)AIDc2. 

> 

+ Enabler of AID A + validity period value 

+ transfer control flag value 

PAT<(link)AID A | (link)AID B1 , pin^AID^. 

(link)AID C i. (fin^AJD^. 

> 

(3) Splitting a PAT (SpBtPAT) (see Fig. 12): 



The LALIST is split into a plurality of LAUSTs 
of the same holder AID, and the respective validity 
period value and transfer control flag value are set 
with respect to each one of the split LAUSTs. 

5 

LALIST<(fink)AlD A | (lirtkJAID^. (linkJAIDa,. 

, (GnkJAID^, (finkJAIDca. 

> 

10 + Enabler of AiD A 

-* UVUST<(Bnk)AID A | (ink)AID B1 , (linkJAIDes. 
> 

is + LALlST<(fink)AID A | (link)AID c1 , (GnkJAIDcs, 
> 

UWST<pnk)AlD A | (ItnkJAlD^. (fink)AID C2 , 
> 

20 

+ Enabler of AID A + vafidity period value 

+ transfer control flag value 

25 -> PAT<(6n^A!D A | (finl^AID^, (ItnkJAIDcs. 
> 

(4) Changing a holder of a RAT (TransPAT) (see Fig. 
13): 

30 The holder ASD of the LAUST is changed, and 

the validity period value and the transfer control flag 
value are set with respect to the changed LAUST. 

LAUST<fe*)AID A | (6nk)AlD B > 

35 

+ LALIST<(fink)AID A | (linkJAID^. (Rnk)AlDc2. 
•••••••*> 

+ Enabler of AID A + Enabler of AID B 

40 

LALIST<(fink)AID B | (fink)AID c1 . 
(link)AJDc2. > 

LALIST<fBnk)A!D B | (finkJAIDca (Knk)AlD C2 . 

45 > 

+ Enabler of AID B + validity period value 
+ transfer control flag value 

50 

PATcffin^AIDa | <!ink)AID c1 . (fin^A!D C2 , 
> 

[031 1] In the operation tor setting the validity period 
55 value, in order to permit the setting of the validity period 
value only to a user who holds both the holder AID and 
the corresponding Enabler. the following operation is 
defined. 
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PAT<(link)AID A | (lin^AIDe > + Enabier of AID A 
+ validity period value 

_> PAT<Oink)AID A | (TmkJAIDe > s 

(031 2] In the operation for setting the transfer control 
flag value, in order to permit the setting of the transfer 
control flag value only to a user who holds both the 
holder AID and the corresponding Enabier, the following to 
operation is defined. 

PAT<(Knk)AID A | (linkJAIDe > + Enabier of AID A 

+ transfer control flag value 75 

PAT<(link}AID A | (link) AIDb > 

[0313] Next, with references to Fig. 42 to Fig. 48. the 
overall system configuration of this seventh embocfr 20 
ment w3l be described In Rg. 42 to Fig. 48, the user- A 
who has AID A allocated from the CA stores AID A and 
Enabier of AfD A in a computer of the user-A, and the 
input/output devices such as floppy dsk drive. CD-ROM 
drive, communication board, microphone, speaker, etc.. ss 
are connected. Else, AID A and Enabier of A!D A are 
stored in a communication terminal (telephone, cellular 
phone, eta) which has a storage device and a data 
input/output function. 

[0314] Similarly, the user-B who has AID B allocated so 
from the CA stores AIDb and Enabier of AID B in a com- 
puter of the user-B. and the input/output devices such 
as floppy disk drive. CD-ROM drive, communication 
board, microphone, speaker, etc.. are connected. Else, 
AIDb and Enabier of AID B are stored in a oommunica- ss 
tion terminal (telephone, cellular phone, etc.) which has 
a storage device and a data input/output function. 
[031 5] In the following, a procedure by which the user- 
A generates RAT<(link)AID A | (link)AID 8 > will be 
described. <o 

(1) The user-A acquires AID B and Enabier of AID B 
using any of the following means. 

* AIDg and Enabier of AID B are registered at the 45 
ADS 7, and it is waited until the user-A acquires 
them as a search result (Fig. 42). 

* AID B and Enabier of AID B are directly transmit- 
ted to the user-A by the email, signaling, etc. 
(Figs. 43. 44). so 

* AID B and Enabier of AID B are stored in a mag- 
netic, optic, or electronic medium such as 
floppy disk. CD-ROM, MO, IC card, etc., and 
this medium is given to the user-A Else, it is 
waited until the user acquires them by reading ss 
this medium (Figs. 45. 46). 

* AID B and Enabier of AID B are printed on a 
paper medium such as book, name card, etc., 



and this medium is given to the user-A. Else, it 
is waited until the user-A acquire them by read- 
ing this medium (Figs. 47, 48). 

(2) The user-A who has acquired AIDb a™* Enabier 
of AID B by any of the means described in the above 
(1) issues the MakePAT command to the PAT 
processing device. This procedure is common to 
Fig. 42 to Fig. 48, and defined as follows. 

(a) The user A requests the issuance of the 
MakePAT command by setting AID A , Enabier 
of A1D A , AIDb, Enabier of AIDb . the vafidrty 
period value, and the transfer control flag value 
into the communication terminal of die user-A. 

(b) The communication terminal of the user-A 
generates the MakePAT cornmand. 

(c) The communication terminal of the user-A 
transmits the generated MakePAT command to 
the RAT processing device by means such as 
the email, signafing. etc. (the issuance of the 
MakePAT command). 

(d) The RAT processing device generates 
PAT<fJrnk)AID A | (link)AID B > by processing the 
received MakePAT command accorolng to Rg. 
21 and Fig, 49. More specifically, this is done 
as follows. 

(fink)AH) A -1- (iinkJAiDe 

♦ Enabier of AIDq + Enabier of AtD A 

LAUST<(Ttnfc)AfD A | Grnk)AIDg > 

LALIST<f6nk)Af£) A { (inkJAIDe > + Enabier 
of AID A 

+ validity period value + transfer control 
flag value 

-> PAT<(link)AID A | (link)AIDB> 

(e) The PAT processing device transmits the 
generated PAT<(link)AD A | (fink)AID B > to the 
cofrmjrtication terminal of the user-A, or to the 
communication terminal of the user-B accord- 
ing to the need, by means such as the email, 
signaling, etc. 

(f) The communication terminal of the user-A 
(or the user-B) stores the received 
PAT<(link)AlD A | (link)AID B > in the storage 
device of the communication terminal of the 
user-A. 

[0316] The merging of PATs (MergePAT, Fig. 21. Rg. 
49), the splitting of a PAT (SplitPAI Rg. 22, Fig. 49). and 
the changing of a holder of a PAT (TransPAT, Rg. 21. 
Fig. 49) are also carried out by the similar procedure. 
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[0317] The procedure of MakePAT. MergePAT and 
TransPAT Is similar to that descrbed above with refer- 
ence to Fig. 21 , except that the AID should be replaced 
by the link information of the AID and the AID list should 
be replaced by the link specifying AID list Also, the pro- s 
cedure of SpfitPAT is similar to that described above 
with reference to Fig. 22, except that the AID should be 
replaced by the fink information of the AID and the AID 
list should be replaced by the link specifying AID list 
[0318] Here, in the procedures of Fig. 21 and Fig. 22, io 
the link specifying AID let generation is carried out 
accorolng to Fig. 49 as follows. Namely, a buffer length 
is determined first (step S9011) and a buffer is gener- 
ated (step S9012). Then, the link information of the 
holder AID is copied to a vacant region of the generated is 
buffer (step S9017). Then, the link information of the 
member AID is copied to a vacant region of the resulting 
buffer (step $9018), and if the next member AID exists 
(step S9015 YES), trie step S9018 is repeated 
[031 9} Next, the determination of the link information 20 
of the holder AID will be descrfoed. Each of the Make- 
PAT, the MergePAT. the SpirtPAT, and the TransPAT com- 
mands is defined to have two or more arguments, where 
AID. PAT. or Enabler can be specified as an argument. 
In this case, the PAT processing device specifies the link 25 
information of the holder AID of the PAT to be outputted 
after executing each command according to the follow- 
ing rules. 

* Case of the MakePAT: 30 

For the MakePAT command, it is defined that 
AIDs are to be specified for the first argument to the 
N-th argumerrt(N = 2. 3, ♦ ) and Ena- 
blers are to be specified for the N+1-th and subse- 
quent arguments. For example, they can be ss 
specified as follows. 

MakePAT AlD-j, AID 2 , • • • AID N , 

Enabler of AID.,. Enabfer of AID 2 , 
• • , Enabler of AID N ao 

The PAT processing device interprets the link 
information of AID of the first argument of the Make- 
PAT command as the link information the holder 
AID. 45 

Only when one of the Enablers of the N+1-th 
and subsequent arguments corresponds to the AID 
of the first argument, the PAT processing device 
specifies the link information of this AID (that is the 
Bnk information of the AID of the first argument) as so 
the link information of the holder AID of the PAT to 
be outputted after executing the MakePAT com- 
mand. 

* Case of the MergePAT: 

For the MergePAT command, it is defined that 55 
PATs are to be specified for the first argument to the 
N-th argument (N = 2. 3. ) and Ena- 
Wer is to be specified for the N+1-th argument 



Namely, they can be specified as follows. 

MergePAT PAT 1 PAT 2 PAT N Ena- 
bler of AID 

The PAT processing device interprets the link 
information of the holder AID of the PAT of the first 
argument of the MergePAT command as the link 
information of the holder AID of the PAT to be out- 
putted after executing the MergePAT command- 
Only when the Enabler of the N+1 -th argument 
corresponds to the holder AID of the PAT of the first 
argument the PAT processing device specifies the 
fink ^formation of this AID (that is the link informa- 
tion of the holder AID of the PAT of the first argu- 
ment) as the Bnk information of the holder AID of 
the PAT to be outputted after executing the Merge- 
PAT command. 

* Case of the SpfitPAT: 

For the SplitPAT command, ft is defined that 
PAT is to be specified for the first argument a set of 
one or more AIDs grouped together by some pre- 
scribed symbols (assumed to be parentheses 0 in 
this example) are to be specified for the second 
argument to the N-th argument (N = 3, 4, 

). and Enabler is to be specified for 

the N+1-th argument Namely, they can be speci- 
fied as follows. 

SpfitPAT PAT, (AID^) (AID^ AID22) 

(A1D N1 A©N2 

AID^ Enabler of AID 

The PAT processing device interprets the link 
information of tie holder AID of the RAT of the first 
argument of the SpirtPAT command as the link infor- 
mation of the holder AID of the PAT to be outputted 
after executing die SpfitPAT command. 

Only when the Enabler of the N+1-th argument 
corresponds to the holder AID of the PAT of the first 
argument the PAT processing device specifies the 
link information of this AID (that is the link informa- 
tion of the holder AID of the PAT of the first argu- 
ment) as the folk information of the holder AID of 
the PAT to be outputted after executing the SpirtPAT 
command. 

* Case of the TransPAT: 

For frie TransPAT command, it is defined that 
PATs are to be specified for the first argument and 
the second argument, an AID is to be specified for 
the third argument and Enablers are to be speci- 
fied for the fourth argument and the fifth argument 
Namely, they can be specified as follows. 

TransPAT PAT 1 PAT 2 AID Enabler of AID 1 Ena- 
bler of AID2 

The PAT processing device interprets the link 
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information of AID of the third argument as the link 
information of the holder AID of the PAT to be out- 
putted after executing the TransPAT command pro- 
vided that the fink information of AID of the third 
argument of the TransPAT command is contained in 
the PAT of the second argument 

OnJy when the Enabier of the fourth argument 
corresponds to both the PAT of the first argument 
and the PAT of the second argument and the Ena- 
ble* of the fifth argument corresponds to the AID of 
the third argument the PAT processing device 
specifies the link information of the AID of the third 
argument as foe link information of the hotter AID 
of the PAT to be outputted after executi ng the Trans- 
PAT command. 

Next the determination of the fink informations 
of the member AIDs will be described The defini- 
tions of the Make PAT, the MergePAT, the SpfitPAT, 
and the TransPAT commands are as descr&ed 
above. The PAT processing device specifies the link 
i n form a t ions of the member AIDs of the PAT to be 
outputted after executing each command according 
to the following rules. 

* CaseoftheMakePAT: 

Only when the link information of the holder 
AID of the PAT to be outputted after executing the 
MakePAT command is formally determined, the RAT 
processing device interprets ail the fink informa- 
tions of the AIDs of the second and subsequent 
arguments of the MakePAT command as the link 
informations of the member AIDs of the PAT to be 
outputted after executing the MakePAT command. 

The PAT processing device specifies only the 
fink informations of those AIDs among all the AIDs 
of the second and subsequent arguments which 
correspond to the Enablers specified by the N+1 -th 
and subsequent arguments as the link informations 
of the member AIDs of the PAT to be outputted after 
executing the MakePAT command. 

* Case of the MergePAT: 

Only when the link information of the holder 
AID of the PAT to be outputted after executing the 
MergePAT command is formally determined, the 
PAT processing device specifies the link informa- 
tions of the member AIDs of all the PATs specified 
by the first to N-th arguments of the MergePAT as 
the link informations of the member AIDs of the PAT 
to be outputted after executing the MergePAT com- 
mand. 

* CaseoftheSplitPAT: 

Only when the link information of the holder 
AID of the PAT to be outputted after executing the 
SplitPAT command is formally oeter mined, the PAT 
processing device specifies the link information of 
the member AID of the PAT specified by the first 
argument of the SpfitPAT command as the link infor- 
mation of the member AID of the PAT to be output- 
ted after executing the SplitPAT command. At this 



point, the link inform a tions of the member AIDs are 
distrfouted into different PATs in units of parenthe- 
ses 0 For example, in the case of: 

5 SplitPAT RAT (AID-fj) (AID 21 AID22) 

(AIDmi AID,* 

AIDnu} Enabier of AID 

the link informations of (AtD^). (AID^, AID^ and 
10 (AID N1 AID^ AIDnm) wH be the fink infor- 
mations of the member AIDs of different RATs having a 
common fink information of holder AID. 
* Case of TransPAT: 

Only when the fink in for m ati on of the holder 
75 AID of the PAT to be outputted after executing the 
TransPAT c om m an d is tormafly determined, the PAT 
processing device specifies aQ the link infor ma tion s 
of the member AIDs remaining after excluding the 
fink information of the member AID mat is sched- 
20 tried to be a new holder AID from afl the fink infor- 
mations of the member AIDs of the PAT specified by 
the first argument of the TransPAT command and 
the fink informations of the member AIDs of the PAT 
specif ied by the second argument as the fink infor- 
25 matrons of the member AIDs of the RAT to be out- 
putted after executing the TransPAT command. 

The verification of the propemess of the Ena- 
bier in this seventh embodiment is the same as 
described above with reference to Fig. 24. Also, this 
30 vesication of the propemess of the Enabier is com- 
mon to the MakePAT. the MergePAT. the SpfitPAT 
and the TransPAT. 

[0320] Next the eighth embodiment of the email 
ss access control scheme accorcSng to the present inven- 
tion will be descrfoed in detail 
[0321] InthiseigMhentxx^mentlheOIDisgivenby 
a real email address. 

[0322] The PAT is an information comprising two or 

40 more real email addresses, the holder index, the vafidity 
period, the transfer control flag and the PAT processing 
device identifier (or the identifier of the PAT processing 
object on the network), which is signed using a secret 
key of the RAT processing device (or the PAT processing 

45 object on the network). 

[0323] Here, one of the real email addresses is a 
holder email address of this PAT, where the change of 
the information contained in the PAT such as an addition 
of email address to the PAT, a deletion of emafl address 

50 from the PAT. a change of the validity period in the PAT, 
a change of the transfer control flag value in the PAT, 
etc., can be made by presenting the holder email 
address and an Enabier containing the holder email 
address to the RAT processing device (or the PAT 

55 processing object on the network). 

[0324] On the other hand, the email addresses other 
than the holder email address that are contained in the 
PAT are all member email addresses, where a change 
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of the Information contained in the PAT cannot be made 
even when the member email address and an Enabter 
containing the member email address are presented to 
the PAT processing device (or the PAT processing object 
on the network). 5 
[0325] The holder index is a numerical data for identi- 
fying the holder email address, which ts defined to take 
a value 1 when the holder email address is a top email 
address in the email address fist formed from the holder 
email address and the member email addresses, a io 
value 2 when the holder email address is a second 
email address from the top of the email address list, or 
a value n when the holder email address is an n-th email 
address from the top of the email address Dst 
[032$] The transfer control flag value is defined to take 75 
either 0 or 1 . 

[0327] The holder email address is defined to be area! 
email address which is written at a position specified by 
the holder index in the email address fist The member 
email addresses are defined to be ail the email 20 
addresses other than the holder email address. 
[0328] The validity period is defined by any one or 
combination of the number of times for which the PAT is 
available, the absolute time (UTC) by which the PAT 
becomes unavailable, the absolute time (UTC) by which 25 
the PAT becomes available, and the relative time (life- 
time) since the PAT becomes available until it becomes 
unavailable. 

[0329] The identifier of the PAT processing device (or 
the PAT processing object on the network) is defined as 90 
a serial nu mber of the PAT processing d evice (or an dis- 
tinguished name of the PAT processing object on the 
network). The secret key of the RAT processing device 
(or the PAT processing object on the network) is defined 
to be uniquely corresponding to the identifier. 35 
[0330] Also, in this eighth embodiment an EnaNer is 
defined as an identifier corresponding to the real email 
address. The Enabter is an information comprising a 
character string uniquely indicating that it is an Enabler 
and a real email address rtsetf, which is signed using the 40 
secret key of the PAT processing device or the PAT 
processing object on the network. 
[0331 ] The generation of the PAT in the eighth embod- 
iment is carried out as follows. 

[0332] Here, a directory wi! I be described as an exam- 45 
pie of the PAT processing abject on the network. The 
directory manages the real email address and the dis- 
closed information of the user in correspondence, and 
outputs the PAT upon receiving the search conditions 
presented from an arbitrary user. so 
[0333] The user transmits the real email address and 
the search conditions to the directory. Then, the direc- 
tory acquires all the real email addresses which 
uniquely correspond to the disclosed information that 
satisfies these search conditions. Then, the directory ss 
generates a real email address list from the real email 
address of the user who presented the search condi- 
tions and all the real email addresses acquired as a 



search result Then, the directory appends the holder 
index value, the validity period value, the transfer control 
flag value, and the olstinguished name of the directory 
to the real email address fist Rnafly, the directory signs 
the resulting data using a secret key of the directory, 
and transmits it as the PAT to the user who presented 
the search conditions. 

[0334] Next, the ema3 access control in this eighth 
embodiment is carried out as follows. 
[0335] The sender specifies the real email address of 
the sender in From: line, and "[PAT]@[real domain of 
sender]" in To: fine of a mail. 

[0336] The SCS acquires an email received by an 
MIA (Message Transfer Agent) such as SMTP (Simple 
Mail Transfer Protocol), and carries out the authentica- 
tion by the fofiowing procedure 

(1) The signature of the PAT is verified using the 
public key of the PAT 

When the RAT is found to have been altered, 
the email is discarded and the processing is termi- 
nated. 

When the RAT is found to have been not 
altered, the following processing (2) is executed. 
(2} The search is carried out by presenting the 
sender's real email address to the PAT 

When a real email address that completely 
matches with the sender's real email address is not 
contained m the PAT, the email ts discarded and the 
processing is terminated. 

When a real email address that completely 
matches with the senders real email address is 
corttamedinthefW.thefoBo^ is 
executed. 

(3) The valtdrfy period value of the PAT is evaluated 

When the PAT is outside the validity period, the 
email ts discarded and the processing is termi- 
nated. 

When the PAT is within the validity period, the 
following processing (4) is executed. 

(4) Whether or not to authenticate the sender is 
determined by referring to the transfer control flag 
value of the PAT 

When the value is 1. the challenge/response 
authentication between the SCS and the sender is 
carried out. and the signature of the sender is veri- 
fied. When the signature is vafid, the recipient is 
specified and the PAT is attached. When the signa- 
ture is invalid, the email is discarded and the 
processing is terminated. 

When the value is 0. the recipient is specified 
and the PAT is attached without executing the chal- 
lenge/response authentication. 

[0337] An exemplary challenge/response authentica- 
tion between the SCS and the sender in this eight 
embodiment can be carried out as follows. 
[0338] First the SCS generates an arbitrary informa- 
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toon such as a timestamp, tor example, and transmits 
the generated information to the sender. 
[0339] Then, the sender generates the secret key and 
the public key. signs the received information using the 
secret key, and transmits it along with the public key. s 
[0340] The SCS then verifies the signature of the 
received information using the public key presented 
from the sender. When the signature is valid, the recipi- 
ent is specified and the PAT is attached When the sig- 
nature is invalid, the email is discarded and the 10 
processing is terminated. 

[0341 ] The specifying of the recipient and the attach- 
ing of the PAT at the SCS in this eighth embodiment can 
be canied out as follows. 

[0342] First the SCS carries out the search by pre- is 
senting the sender's real email address to the PAT. so as 
to acquire all the real email addresses which do not 
completely match the sender's real email address. 
Then, all these acquired real email addresses are spec- 
ified as recipient's real email addresses. 20 
[0343] Next the SCS attaches the PAT to an arbitrary 
position in the emaa in order to transmit the RAT to ad 
the recipient's email addresses so as to be able to real- 
ize the bidirectional corminications- Fmafiy. the SCS 
gives the email to foe MTA. 25 
[0344] The receiving refusal with respect to the PAT at 
the SCS in this eighth embodiment can be carried out 
as follows. 

[0345] Receiving refusal setting: The bidirectional 
authentication is carried out by an arbitrary means so 
between the user and the SCS 5. Then, the user trans- 
mits a registration command, his/her own real email 
address, and arbitrary PATs to the SCS 5. Then, the 
SCS 5 next verifies the signature of each received PAT 
using a public key of the ADS. Those PATs with the ss 
invalid signature are discarded by the SCS 5. When the 
signature is valid, the SCS 5 carries out the search by 
presenting the received real email address to each PAT. 
For each of those PATs which contain the real email 
address that completely matches with the received real 4C 
email address, the SCS 5 presents the registration com- 
mand and the PAT to the storage device such that the 
PAT is registered into the storage device. Those PATs 
which do not contain the real email address that com- 
pletely matches with the received real email address 45 
are discarded by the SCS 5 without storing them into 
the storage device. 

[0346] Receiving refusal execution: The SCS 5 carries 
out the search by presenting the PAT to the storage 
device. When a PAT that completely matches the pre- so 
sented PAT is registered in the storage device, the mail 
is discarded. When a PAT that completely matches the 
present PAT is not registered in the storage device, the 
mailisnotdscarded. 

[0347] Receiving refusal cancellation: The bidirec- ss 
tional authentication is carried out by an arbitrary 
means between the user and the SCS 5. Then, the user 
presents his/her own real email address to the SCS 5. 



Then, the SCS 5 next presents the presented real email 
address as a search condition to the storage device and 
acquire aS the PATs that contain the presented real 
email address, and then presents ail tie acquired PATs 
to the user. Then, the user selects aS the PATs for which 
the receiving refusal is to be cancelled by referring to all 
the PATs presented from the SCS 5. and transmits all 
the selected PATs along with a deletion ccrrtmand to the 
SCS 5. Upon receiving the deletion command and all 
the PATs for which the receiving refusal is to be can- 
celled, the SCS 5 presents the deletion command and 
all the PATs received from the user to the storage 
device, such that aQ the received PATs are deleted from 
the storage device 

[0348] The editing of the PAT in this eighth embodi- 
ment can be carried out as fbOows. 
[0349] The MakePAT, the MergePAT, the SpfrtPAT, and 
the TransPAT processings for the PAT using real email 
addresses as its elements can be obtained from the the 
MakePAT, the MergePAT. the SpUtPAT. and the TransPAT 
processings for the RAT using AIDs as its elements 
descrfced above, by replacing the AID by the real email 
address and the Enabier of AID by the Enabter of real 
email address. 

[0350] A Null operator is an infor mat ion comprising a 
data which is uniquely indicating that it is Null and which 
has a format of the real email address, which is signed 
by the secret key of tie PAT processing device or the 
FOT processing object on the network. 
[0351] Similarly, the God operator is an info rmat i on 
compri sing a data which is uniquely indicating that a is 
God and when has a format of the real email address, 
which is signed by the secret key of the RAT processing 
device or the RAT processing object on the network. 
[0352] The Enabier of NuB operator is an information 
comprising a data which is uniquely indicating that it is 
Enabier and the Nu8 operator itseff, which is signed by 
the secret key of the PAT processing device or the PAT 
processing object on the network. 
[0353] The processings involving the Null operator 
and the God operator can be obtained from the 
processings for the PAT using AIDs as its elements 
described above, by replacing the AID by the real email 
address, the Enabier of AID by the Enabier of real email 
address, the Null-AID by the Null operator, the God-AID 
by the God operator, and the Enabier of Null-AID by the 
Enabier of Null operator. 

[0354] As described, according to the present inven- 
tion, a PAT is used for verifying the access right of a 
sender and the email access control among users is 
earned out when the verification result is valid, so that it 
becomes possible to disclose the information indicative 
of characteristics of a user while concealing the true 
identification of a user and carrying out communications 
appropriately according to this cBsclased information 
while preventing conventionally possible attacks from a 
third person. In addition, even when a recipient receives 
an attack from a sender who maliciously utilizes the 
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anonymity, damages of a recipient due to that attack 
can be minimized. 

[0355] Abo, according to the present invention, the 
generation and the content change of the personalized 
access ticket can be made by the initiative of a user by s 
using an AID assigned to each user and an Enabler 
defined in correspondence to the AID. so that ft 
becomes possible to appropriately manage inf or m at ion 
such as that of a point of contact of each member of the 
group communication (mailing list, etc.) which changes io 
dynamically. 

[0356] Also, according to the present invention, a Null- 
AID and an Enabler of Null-AID can be introduced in 
order to carry out the generation of a new PAT (Make- 
PAT) and the merging of PATs (MergefW) without giv- is 
ing the member AID and the Enabler of the member AID 
to the holder of the FAT, so that it becomes possfcle to 
prevent the pretending using the member AID. 
{0357] Also, according to the present invention, the 
Null -AID can be used only as the holder AID of the RAT 20 
(the Nutl-AID cannot be used as the member AID), that 

is PAT<AID Null I AID^rt^, AID^,^. , 

AlDroenfcerfg > IS allowed, but PAT<AID hoWef | AID^, 
AlDmomborV Mb™Hrioer2> AIDn^n^fN > 

is not allowed, so that the holder of RAT<AID holder | AID- 2s 
member > canm* produce PAT<A!D Nufl | AID^^ > 
from this PAI^AID^^ \ ^0 mernbeT > as long as the 
holder does not know Enabler of A\D memb&r 
[0358] Also, according to the present invention, a 
God- AID can be introduced in order to set up a read 30 
only attribute to the PAT. so that it becomes posstole to 
fix the participants in the group communicatjon. 
(0359] Also, according to the present invention, the 
fink information for uniquely specifying the AID can be 
introduced and the PAT can be given in terms of the link 35 
information such that the PAT does not contain the AID 
itself, so that it becomes possible to realize the receiving 
refusal function without using the AID itself. 
{0360] It is to be noted that besides those already 
mentioned above, many modifications and variations of 40 
the above embodiments may be made without depart- 
ing from the novel and advantageous features of the 
present invention. Accordingly, all such modifications 
and variations are intended to be included within the 
scope of the appended claims. 45 

Claims 

1. A method of email access control, comprising the 
steps of: so 

receiving a personalized access ticket contain- 
ing a sender's identification and a recipient's 
identification in correspondence, which is pre- 
sented by a sender who wishes to send an ss 
email to a recipient so as to specify the recipi- 
ent as an intended destination of the email, at a 
secure communication service for connecting 



corrtmunications between the sender and the 
receiver: and 

controlling accesses between the sender and 
the recipient by verifying an access right of the 
sender with respect to the recipient according 
to the personalized access ticket at the secure 
communication service. 

2. The method of claim 1, wherein at the controlling 
step the secure communication service authenti- 
cates the personalized access ticket presented by 
the sender, and refuses a delivery of the email 
when the personalized access ticket presented by 
the sender has been altered. 

3. The method of claim 2. wherein the personalized 
access ticket is signed by a secret key of a secure 
processing device which issued the personalized 
access ticket and at the controlling step the secure 
communication service authenticates the personal- 
ized access ticket by verifying a signature of the 
secure processing device in the personalized 
access ticket using a public key of the secure 
processing device. 

4. The method of claim 1. wherein at the receiving 
step the secure cornmumcatiori service also 
receives the sender's identification presented by 
the sender along wrth the personalized a ccess 
ticket end at the controlling step the secure com- 
munication service checks whether the sender's 
identification presented by the sender is contained 
in the personalized access ticket presented by the 
sender, and refuses a delivery of the email when 
the sender's identification presented by the sender 
is not contained in the personalized access ticket 
presented by the sender. 

5. The method of claim 1. wherein the personalized 
access ticket also contains a validity period indicat- 
ing a period for which the personalized access 
ticket is valid, and at the controlling step the secure 
communication service checks the validity period 
contained in the personalized access ticket pre- 
sented by the sender and refuses a delivery of the 
email when the personalized access ticket pre- 
sented by the sender contains the validity period 
that has already been expired. 

6. The method of claim 5, wherein the validity period 
of the personalized access ticket is set by a trusted 
third party. 

7. The method of claim 1 , further comprising the step 
of: 

issuing the personalized access ticket to the 
sender at a directory service for managing an 
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identification of each registrant and a disclosed 
information of each registrant which has a 
lower secrecy than a personal information, in a 
state which is accessible for search by unspec- 
ified many, in response to search conditions 5 
specified by the sender, by using an identifica- 
tion of a registrant whose disclosed information 
matches the search conojt'torts as the recipi- 
ent's identification and the sender's identifica- 
tion specified by the sender along with the w 
search conditions. 

8. The method of claim 1 . further comprising the step 
of: 

75 

registering in advance the personalized access 
ticket containing an identification of a specific 
user from which a delivery of emails to a spe- 
cific registrant is to be refused as the sender's 
identification and an identification of the spe- 20 
crfrc registrant as the recipient's identification, 
at the secure communication service; 
wherein the controlling step the secure com- 
munication service refuses a delivery of the 
email from the sender when the personalized 25 
access ticket presented by the sender is regis- 
tered therein in advance at the registering step. 

9. The method of claim 8, further comprising the step 

Of. 30 

deleting the personalized access ticket regis- 
tered at the secure communication service 
upon request from the specific registrant who 
registered the personalized access ticket at the 35 
registering step. 

10. The method of daim 1, wherein the personalized 
access ticket also contains a transfer control flag 
indicating whether or not the sender should be 40 
authenticated by the secure communication serv- 
ice, and at the controlling step, when the transfer 
control flag contained in the personalized access 
ticket indicates that the sender should be authenti- 
cated, the secure communication service authenti- 45 
cates the sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of the sender's identification fails. 

1 1 . The method of daim 1 0, wherein the authentication so 
of the sender's identification is realized by a chal- 
lenge/response procedure between the sender and 
the secure communication service. 

12. The method of claim 10, wherein the transfer con- 55 
trot flag of the personalized access ticket is set by a 
trusted third party. 



1& The method of claim 1. wherein the sender's identi- 
fication and the recipients ide n tific ati on in the per- 
sonalized access ticket are given by real email 
add resses of the sender and the recipient 

14. The method of daim 1 , wherein the sender's identi- 
fication and the recipient's identification in the per- 
sonalized access ticket are given by anonymous 
identifications of the sender and the recipient, 
where an anonymous identification of each user 
contains at least one fragment of an official identifi- 
cation of each user by which each user is uniquely 
identifiable by a certification authority. 

15. The method of daim 14, wherein the anonymous 
tientiftcation of each user is an information contain- 
ing the at least one fragment of the official identifi- 
cation of each user which is signed by the 
certification authority using a secret key of the cer- 
tification authority. 

16. The method of daim 14. wherein the official identi- 
fication of each user is a character string uniquely 
assigned to each user by the certification authority 
and a public key cf each user which are signed by a 
secret key of the certrf teat ion authority. 

17. The method of daim 14. further comprising the step 
of: 

probabfeficaRy identifying an identity of the 
sender by reconstructing the official iderrtrftca- 
tion of the sender by judging identity of a plural- 
ity of an onymous tten gfca fons of the sender 
contained in a plurality of personalized access 
tickets used by the sender. 

1a The method of daim 1, wherein an anonymous 
identification of each user that contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certifi- 
cation authority and a link information of each 
anonymous identification by which each anony- 
mous identf ica&on can be uniquely identified are 
defined, and the sender's identification and the 
recipients identification in the personalized access 
ticket are given by a link information of the anony- 
mous identif ication of the sender and a link informa- 
tion of the anonymous identification of the recipient 

19. The method of daim 1 . wherein the link information 
of each anonymous identification is an identifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority. 

20. The method of daim 18, further comprising the step 
of: 
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p robabiltsttcally identifying an identity of the 
sender by reconstructing the official identifica- 
tion of the sender by judging identity of a plural- 
ity of anonymous identifications of the sender 
corresponding to the link information contained 
in a plurality of personalized access tickets 
used by the sender. 

21. The method of claim 1, wherein the personalized 
access ticket contains a single sender's identifica- 
tion and a single recipient's identification in 1-to-1 
correspondence. 

22. The method of claim 1, wherein the personalized 
access ticket contains a single sender's identifica- 
tion and a plurality of recipient's identifications in 1- 
to-N correspondence, where N is an integer greater 

. than 1. 

23. The method of claim 22, wherein one ident3ication 
among the single sender's identification and the 
plurality of recipient's identifications is a holder 
identification for kJerrtrrying a holder of the personal- 
ized access ticket while other identifications among 
the single sender's identification and the plurality of 
recipient's identifications are member identifica- 
tions for identifying members of a group to which 
trie holder belongs. 

24. The method of claim 23. further comprising the step 

of: 

issuing an identification of each user and an 
enabler of the identification of each user indi- 
cating a right to change the personalized 
access ticket containing the identification of 
each user as the holder identification, to each 
user at a certification authority, such that pre- 
scribed processing on the personalized access 
ticket can be carried out at a secure processing 
device only by a user who presented both the 
hoJder identification contained in the personal- 
ized access ticket and tie enabler correspond- 
ing to the holder identification to the secure 
processing device. 

25. The method of claim 24, wherein the certification 
authority issues the enabler of the identification of 
each user as an information indicating that it is the 
enabler and the identification of each user itself 
which are signed by a secret key of the certification 
authority. 

26. The method of daim 24, wherein the prescribed 
processing includes a generation of a new person- 
alized access ticket a merging of a plurality of per- 
sonalized access tickets, a splitting of one 
personalized access ticket into a plurality of person- 



alized access tickets, a changing of the holder of 
the personalized access ticket changing of a valid- 
ity period of the personalized access ticket, and a 
changing of a transfer control flag of the personal - 
5 ized access ticket 

27. The method of claim 26. wherein a special identifi- 
cation and a special enabler corresponding to the 
special identification which are known to all users 

io are defined such that the generation of a new per- 
sonalized access ticket and the changing of the 
holder of the personafized access ticket can be car- 
ried out by the holder of the personafized access 
ticket by using the special identification and the 

is special enabler without using an enabler of a mem- 
ber iderrtification. 

28. The method of claim 27, wherein the special identi- 
fication is defined to be capable of being used only 

20 as the holder identification of the personafized 
access ticket 

29. The method of claim 26, wherein a special identifi- 
cation which is known to all users is defined such 

25 that a read only attribute can be set to the personal- 
ized access ticket by using the special identifica- 
tion. 

3a The method of daim 1, wherein at the controlling 
30 step, when the access right of the sender with 
respect to the recipient is verified according to the 
personafized access ticket the secure cornmunica- 
tion service takes out the recipient's tdert gica ti on 
from the personalized access ticket by using the 
35 sender's identification presented by the sender, 
converts the mafl by using a taken out recipients 
identification into a format that can be interpreted 
by a mail transfer function for actually carrying out a 
mail delivery processing, and gives the mail after 
40 conversion to the mail transfer function by attaching 
the personalized access ticket 

31. A method of email access control, comprising the 
steps of: 

45 

defining an official identification of each user by 
which each user is uniquely identifiable by a 
certification authority, and an anonymous iden- 
tification of each user containing at least one 
so fragment of the official identification; and 

identifying each user by the anonymous identi- 
fication of each user in communications for 
emails on a communication network. 

55 32. The method of claim 31 , wherein the anonymous 
identification of each user is an information contain- 
ing the at least one fragment of the official identifi- 
cation of each user which is signed by the 
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certification authority using a secret key of the cer- 
tification authority. 

33. The method of daim 31, wherein the official identi- 
fication of each user is a character string uniquely s 
assigned to each user by the certification authority 
and a public key of each user which are signed by a 
secret key of the certification authority. 

34. The method of claim 31. further comprising the to 
steps of: 



receiving a personalized access ticket contain- 
ing a sender's anonymous identification and a 
recipient's anonymous identification in corre- 
spondence, which is presented by. a sender 
who wishes to send an email to a recipient so 
as to specify the recipient as an intended desti- 
nation of the email, at a secure communication 
service for connecting communications 
between the sender and the receiver; and 
control fing accesses between the sender and 
the recipient by verifying an access right of the 
sender with respect to the recipient according 
to the personalized access ticket at the secure 
communication service. 
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35. The method of claim 34, further comprising the step 
of: 

probabilistically identifying an identity of the 
sender at the secure communication service by 
reconstructing the official identification of the 
sender whfle judging identity of a plurality of 
anonymous identifications of the sender con- 
tained in a plurality of personalized access tick- 
ets used by the sender. 

36. The method of claim 31. wherein the defining step 
also defines a link information of each anonymous 
identification by which each anonymous identifica- 
tion can be uniquely identified, and each anony- 
mous identification also contains the link 
information of each anonymous identification. 

37. The method of claim 36, wherein the link informa- 
tion of each anonymous identification is an identifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority. 

38. The method of claim 36, further comprising the 
of: 



receiving a personalized access ticket contain- 
ing a link information of a sender's anonymous 
identification and a link information of a recipi- 
ent's anonymous identification in correspond- 
ence, which is presented by a sender who 
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wishes to send an emaS to a recipient so as to 
specify the recipient as an intended destination 
of the email, at a secure communication serv- 
ice for connecting communications between 
the sender and the receiver; and 
controlling accesses between the sender and 
the recipient by verifying an access right of the 
sender with respect to the recipient according 
to the personalized access ticket at the secure 
communication service 

39- The method of daim 38, further a>rnprising the step 

of: 

probabilistically Werrtrfying an identity of the 
sender by reconstructing the official identifica- 
tion of the sender while judging identity of a plu- 
rality of anonymous identffications of the 
sender corresponding to the link information 
contained in a plurality of personafized access 
tickets used by the sender. 

40. A communication system realizing email access 
control, comprising: 

a communication network to which a plurality of 
user terminals are connected: and 
a secure ccrrtmunicafori service device for 
connecting communications between the 
sender end the receiver on the communication 
network, by receiving a p e rson alize d access 
ticket containing a sendees identi fi catio n and a 
recipients identification in correspondence, 
which is presented by a sender who wishes to 
send an email to a redpent so as to specify the 
recipient as an intended destination of the 
email, and controlling accesses between the 
sender and the recipient by verifying an access 
right of the sender with respect to the recipient 
according to the personalized access ticket 

41. The system of claim 40, wherein the secure com- 
munication service device authenticates the per- 
sonalized access ticket presented by the sender, 
and refuses a delivery of the emal when the per- 
sonalized access ticket presented by the sender 
has been altered. 

42. The system of claim 41, further comprising: 

a secure processing device for issuing the per- 
sonalized access ticket which is signed by a 
secret key of the secure processing device; 
wherein the secure communication service 
device authenticates the personalized access 
ticket by verifying a signature of the secure 
processing device in the personalized access 
ticket using a public key of the secure process - 
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ing device. 

43. The system of daim 40, wherein the secure com- 
munication service device also receives the 
senders identification presented by the sender s 
along with the personalized access ticket, checks 
whether the sender's identification presented by the 
sender is contained in the personalized access 
ticket presented by the sender, and refuses a deliv- 
ery of the email when the sender's identification 10 
presented by the sender is not contained in the per- 
sonalized access ticket presented by the sender. 

44. The system of claim 40. wherein the personalized 
access ticket also contains a validity period indicat- is 
ing a period tor which the personalized access 
ticket is valid, and the secure communication serv- 
ice device checks the validity period contained in 
the persona fized access ticket presented by the 
sender and refuses a defivery of the email when the 20 
personalized access ticket presented by the sender 
contains the validity period that res already been 
expired. 

45. The system of claim 44, further comprising: 25 

a trusted third party for setting the validity 
period of the personalized access ticket 

46. The system of claim 40, further cornrxising: so 

a directory service device for managing an 
identification of each registrant and and a dis- 
closed information of each registrant which has 
a lower secrecy than a personal information, in 35 
a state which is accessible for search by 
unspecified many, and issuing the personalized 
access ticket to the sender in response to 
search conditions specified by the sender, by 
using an identification of a registrant whose 40 
disclosed information matches the search con- 
ditions as the recipients identification and the 
sender's identification specified by the sender 
along with the search conditions. 

45 

47. The system of daim 40, wherein the secure com- 
munication service device registers in advance the 
personalized access ticket containing an identifica- 
tion of a specific user from which a delivery of 
emails to a specific registrant is to be refused as the so 
sender's kterrtrftcation and an identification of the 
specific registrant as the recpenfs identification, 
and refuses a delivery of the email from the sender 
when the personalized access ticket presented by 
the sender is registered therein in advance. 55 

48. The system of claim 47, wherein the secure com- 
munication service device deletes the personalized 



access ticket registered therein upon request from 
the specific registrant who registered the personal- 
ized access ticket 

49. The system of daim 40. wherein the personalized 
access ticket also contains a transfer control flag 
indicating whether or not the sender should be 
authenticated by the secure communication serv- 
ice, and when the transfer control flag contained in 
the personalized access ticket indicates that the 
sender should be authenticated, the secure com- 
munication service device authenticates the 
sender's identification presented by the sender and 
refuses a delivery of the emafl when an authentica- 
tion of the sender's identification fails, 

50. The system of claim 49, wherein the authentication 
of the sender's kJentrrtcation is realized by a chal- 
lenge/response procedure between the sender and 
the secure comrriunication service device. 

51. The system of claim 49. further comprising a 
trusted third party for setting the transfer control flag 
of the personalized access ticket 

52. The system of daim 40, wherein the senders iden- 
tification and the recipient's identi ficati on in the per- 
sonalized access ticket are given by real email 
addresses of the sender and the recipient 

53. The system of daim 40. further comprising: 

a certification authority device for issuing an 
anonymous identification of each user which 
contains at least one fragment of an official 
identification of each user by which each user 
is uniquely identifiable by the certification 
authority device; 

wherein the senders identification and the 
recipient's clentrfication in the personalized 
access ticket are given by anonymous identifi- 
cations of the sender ami the recipient 

54. The system of daim 53. wherein the anonymous 
identification of each user is an information contain- 
ing the at least one fragment of the official identifi- 
cation of each user which is signed by the 
certification authority device using a secret key of 
the certification authority device. 

55- The system of daim 53, wherein the official identifi- 
cation of each user is a character string uniquely 
assigned to each user by the certification authority 
device and a public key of each user which are 
signed by a secret key of the certification authority 
device. 

56. The system of claim 53. wherein the secure com- 
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munication service device probabilistically identifies 
an identity of the sender by reconstructing the offi- 
cial identification of the sender while judging iden- 
tity of a plurality of anonymous identifications of the 
sender contained in a plurality of personalized 5 
access tickets used by the sender. 

57. The system of claim 40, further comprising: 

a certification authority device for issuing an to 
anonymous identification of each user which 
contains at least one fragment of an official 
identification of each user by which each user 
is uniquely identifiable by the certification 
authority device and a link information of each is 
anonymous identSication by which each anon- 
ymous identification can be uniquely identified; 
wherein the sender's identification and the 
recipient's identification in the personalized 
access ticket are given by a fink information of 20 
the anonymous identification of the sender and 
a link information of die anonymous identifica- 
tion of the recipient 

58. The system of claim 57. wherein the link informa- 2s 
tbn of each anonymous identification is an identifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority device. 

59. The system of claim 57, wherein the secure com- so 
muni cation service device probabilistically identifies 

an identity of the sender by reconstructing the offi- 
cial identification of the sender while judging iden- 
tity of a plurality of anonymous identifications of the 
sender corresponding to the link information con- 35 
tained in a plurality of personalized access tickets 
used by the sender. 

60. The system of daim 40. wherein the personalized 
access ticket contains a single senders identifica- ao 
tfon and a single recipient's identification in 1-to-1 
correspondence. 

61 . The system of claim 40, wherein the personalized 
access ticket contains a single sender's identifies- as 
tfon and a plurality of recipients identifications in 1 - 
to-N correspondence, where N is an integer greater 
thanl. 

62. The system of claim 61 , wherein one identification sc 
among the single sender's identification and the 
plurality of recipient's identifications is a holder 
identification for identifying a holder of the personal- 
ized access ticket while other identifications among 
the single sender's identification and the plurality of £5 
recipient's identifications are member identifica- 
tions for identifying members of a group to which 
the holder belongs. 



63. The system of daim 62. further com pri sing: 

a certification authority device for issuing to 
each user an identification of each user and an 
enabier of the identrfication of each user indi- 
cating a right to change the personalized 
access ticket containing the dentffication of 
each user as the holder identification; and 
a secure processing device at which pre- 
scribed processing on the personalized access 
ticket can be earned out only by a user who 
presented both the holder identification con- 
tained in the personalized access ticket and the 
enabier corresponding to the holder identifica- 
tion to the secure processing device 

64. The system of claim 63. wherein the certfffcation 
authority device issues the enabier of the identifica- 
tion of each user as an information indicating that it 
is the enabier and the identification of each user 
ftseff which are signed by a secret key of the certffi- 
catfon authority device, 

65. The system of daim 63. wherein the prescribed 
processing includes a generation of a new person- 
alized access ticket, a merging of a plurality of per- 
sonalized access tickets, a splitting of one 
personalized access ticket into a pturafity of person- 
alized access tickets, a changing of the holder of 
the personafized access ticket chartcjng of a vafid- 
fty period of the person afa ed access ticket and a 
changing of a transfer control flag of the personal- 
ized access ticket 

66. The system of daim 65, wherein a special identifi- 
cation and a special enabier corresponcfing to the 
special identification which are Known to all users 
are defined such that the generation of a new per- 
sonalized access ticket and the changing of the 
holder of the personalized access ticket can be car- 
ried out by the holder of the personalized access 
ticket by using the special identification and the 
special enabier without using an enabier of a mem- 
ber identification. 

67. The system of daim 66. wherein the special identi- 
fication is defined to be capable of being used only 
as the holder identification of the personalized 
access ticket 

6a The system of daim 65. wherein a spedal identifi- 
cation which is known to all users is defined such 
that a read only attr&ute can be set to the personal- 
ized access ticket by using the special identifica- 
tion. 

69. The system of daim 40, wherein when the access 
right of the sender with resped to the recipient is 
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verified according to the personalized access ticket 
the secure communication service device takes out 
the recpenfs identification from the personalized 
access ticket by using the sender s identification 
presented by the sender, converts the mail by using 5 
a taken out recipients idemification into a format 
that can be interpreted by a mail transfer function 
for actually carrying out a mail delivery processing, 
and gives the mail after conversion to the mail 
transfer function by attaching the personalized w 
access ticket 

70. A communication system realizing email access 
control, comprising: 

15 

a certification authority device for defining an 
official identification of each user by which 
each user is uniquely identifiable by the certifi- 
cation authority device, and an anonymous 
identification of each user which contains at 20 
least one fragment of the official identification; 
and 

a communication network on which each user 
is identified by the anonymous identification of 
each user in communications for emails on the 25 
commuracation network. 

71. The system of claim 70, wherein the anonymous 
identification of each user is an information contain- 
ing the at least one fragment of the official identify 30 
cation of each user which is signed by the 
certification authority device using a secret key of 
the certification airthority device. 

72. The system of claim 70, wherein the official identifi- 35 
cation of each user is a character string uniquely 
assigned to each user by the certification authority 
device and a public key of each user which are 
signed by a secret key of the certification authority 
device. 40 

73. The system of claim 70, further comprising: 

a secure communication service device for 
connecting communications between the 45 
sender and the receiver on the communication 
network, by receiving a personafized access 
ticket containing a sender's anonymous identi- 
fication and a recipient's anonymous identifica- 
tion in correspondence, which is presented by so 
a sender who wishes to send an email to a 
recipient so as to specify the recipient as an 
intended destination of the email, and control- 
ling accesses between the sender and the 
recipient by verifying an access right of the 55 
sender with respect to the recipient accorolng 
to the personafized access ticket 



74. The system of claim 73, wherein the secure com- 
munication service device probabilistically identifies 
an identity of the sender by reconstructing the offi- 
cial identification of the sender while judging iden- 
tity of a pturafity of anonymous identifications of the 
sender contained in a piura&ty of personalized 
access tickets used by the sender. 

75. The system of claim 70, wherein the certification 
authority device also defines a link information of 
each anonymous identification by which each 
anonymous identification can be uniquely identi- 
fied, and each anonymous identification also con- 
tains the link information of each anonymous 
identification. 

76. The system of daim 75, wherein the ink inforrna- 
tion of each anonymous identification is an identifier 
uniquely assigned to each anonymous identifica- 
tion by the certification authority device. 

77. The system of daim 75. further comprising; 

a secure corrmimcation service device for 
connecting convrtunications between the 
sender and the receiver on the communication 
network, by receiving a personalized access 
ticket containing a ink infonriation of a sender's 
anonymous KJenfif cation and a fink information 
of a recpienrs anonymous identification ri cor- 
respondence, which is presented by a sender 
who wishes to send an emai to a recipient so 
as to specify the recipient as an intended desti- 
nation of the emafl. and controlling accesses 
between the sender and the recipient by verify- 
ing an access right of the sender with respect 
to the recipient according to the personalized 
access ticket. 

78. The system of claim 77, wherein the secure com- 
munication service device probabilistically identifies 
an identity of the sender by reconstructing the offi- 
cial identification of the sender while judging iden- 
tity of a plurafity of link informations of amrrymous 
identifications of the sender contained in a plurality 
of personalized access tickets used by the sender. 

79. A secure comrnurication service device for use in a 
communication system realizing email access con- 
trol, comprising: 

a computer hardware; and 
a computer software for causing the computer 
hardware to connect communications between 
the sender and the receiver, by receiving a per- 
sonafized access ticket containing a sender's 
identification and a recipient's identification in 
correspondence, which is presented by a 
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sender who wishes to send an email to a recip- 
ient so as to specify the recipient as an 
intended destination of the email, and control- 
Bng accesses between the sender and the 
recipient by verifying an access right of the 
sender with respect to the recipient according 
to the personalized access ticket. 

80. The secure communication service device of claim 
79, 

wherein the computer software causes the compu- 
ter hardware to authenticate the personalized 
access ticket presented by the sender, and refuse a 
delivery of the email when the personalized access 
ticket presented by the sender has been altered. 

81 . The secure communication service device of claim 
80. 

wherein the personalized access ticket is signed by 
a secret key of a secure processing device which 
issued the personalized access ticket, and the com- 
puter software causes the computer hardware to 
authenticate the personalized access ticket by veri- 
fying a signature of the secure processing device in 
the personalized access ticket using a public key of 
the secure processing device. 

82. The secure communication service device of claim 
79. 

wherein the computer software causes the compu- 
ter hardware to also receive the sender's identifica- 
tion presented by the sender aJong with the 
personalized access ticket, check whether the 
sender's identification presented by the sender is 
contained in the personalized access ticket pre- 
sented by the sender, and refuse a delivery of the 
email when the sender's identification presented by 
the sender is not contained in the personalized 
access ticket presented by the sender. 

83. The secure communication service device of claim 
79, 

wherein the personalized access ticket also con- 
tains a validity period indicating a period for which 
the personalized access ticket is valid, and the 
computer software causes the computer hardware 
to check the validity period contained in the person- 
alized access ticket presented by the sender and 
refuse a delivery of the email when the personal- 
ized access ticket presented by the sender contains 
the validity period that has already been expired. 

84. The secure communication service device of claim 
79. 

wherein the computer software causes the compu- 
ter hardware to register in advance the personal- 
ized access ticket containing an identification of a 
specific user from which a delivery of emails to a 



specific registrant is to be refused as the sender's 
identification and an identification of the specific 
registrant as the recipient's identification, at the 
secure communication service device, and refuse a 
5 delivery of the email from the sender when the per- 
sonalized access ticket presented by the sender is 
registered at the secure communication service 
device in advance. 

w 85. The secure communication service device of daim 
84. 

wherein the computer software causes the compu- 
ter hardware to delete the personalized access 
ticket registered at the secure communication serv- 
75 ice device upon request from the specif ic registrant 
who registered the personalized access ticket 

86. The secure communication service device of claim 
79, 

20 wherein the personalized access ticket also con- 
tains a transfer control flag incficating whether or not 
the sender should be authenticated by the secure 
communication service device, and when the trans- 
fer control flag contained in the personalized 

25 access ticket incficates that the sender should be 
authenticated, the computer software causes the 
computer hardware to authenticate tie sender's 
identification presented by the sender and refuse a 
delivery of the email when an authentication of the 

so sender's identflication fafc. 

87. The secure communication service device of daim 
86. 

wherein the computer software causes the compu- 
35 ter hardware to realize the authentication of the 
sender's identification by a challenge/response pro- 
cedure between the sender and the secure commu- 
nication service device. 

40 88. The secure communication service device of claim 
79. 

wherein the sender's identification and the recipi- 
ent's identification in the personalized access ticket 
are given by anorrymous identifications of the 

45 sender and the recipient, where an anonymous 
identification of each user contains at least one 
fragment of an official identification of each user by 
which each user is uniquely identifiable by a certifi- 
cation authority, and the computer software also 

50 causes the computer hardware to probabilistically 
identify an identity of the sender by reconstructing 
the official identification of the sender by judging 
identity of a plurality of anonymous identifications of 
the sender contained in a plurality of personalized 

55 access tickets used by the sender. 

89. The secure communication service device of claim 
79. 
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wherein an anonymous identification of each user 
that contains at least one fragment of an official 
identification of each user by which each user is 
uniquely identifiable by a certification authority and 
a link information of each anonymous identification 5 
by which each anonymous identification can be 
uniquely identified are defined, the sender's identifi- 
cation and the recipient's identification in the per- 
sonalized access ticket are given by a link 
information of the anonymous identification of the w 
sender and a link information of the anonymous 
identification of the recipient and the computer 
software also causes the computer hardware to 
probabilistically identify an identity of the sender by 
reconstructing the official identification of the 15 
sender by judging identity of a plurality of anony- 
mous identifications of the sender corresponding to 
the link information contained in a plurality of per- 
sonalized access tickets used by the sender. 

20 

90. The secure communication service device of claim 
79, 

wherein when the access right of the sender with 
respect to the recipient is verified according to the 
personalized access ticket, the computer software 25 
causes the computer hardware to take out the 
recpient's identification from the personalized 
access ticket by using the sender's identification 
presented by the sender, convert the mail by using 
a taken out recipient's identification into a format so 
that can be interpreted by a mail transfer function 
tor actually carrying out a mail delivery processing, 
and give the mail after conversion to the mail trans- 
fer function by attaching the personalized access 
ticket 35 

91. A secure processing device for use in a communi- 
cation system realizing email access control, com- 
prising: 

40 

a computer hardware ; and 
a computer software for causing the computer 
hardware to receive a request for a personal- 
ized access ticket from a user, and issue a per- 
sonalized access ticket containing a sender's 45 
identification and a recipient's identification in 
correspondence, which is signed by a secret 
key of the secure processing device. 

92. A directory service device for use in a communica- 5C 
tion system realizing email access control, compris- 
ing: 

a computer hardware; and 
a computer software for causing the computer 55 
hardware to manage an identification of each 
registrant and a disclosed information of each 
registrant which has a lower secrecy than a 



personal information, in a state which is acces- 
sible for search by unspecified many, and issue 
a personalized access ticket containing a 
sender's identification and a recipient's identifi- 
cation in correspondence, to the sender in 
response to search conditions specified by the 
sender, by using an identification of a registrant 
whose disclosed information matches the 
search conditions as the recipient's identifica- 
tion and the sender's identification specified by 
the sender along with the search conditions. 

93. A certification authority device for use in a commu- 
nication system realizing email access control, 
comprising: 

a computer hardware; and 
a computer software for causing the computer 
hardware to issue to each user an official iden- 
tification of each user by which each user is 
uniquely identifiable by the certification author- 
ity device, and an anonymous identification of 
each user which contains at least one fragment 
of the official identification. 

94. A certification authority device for use in a commu- 
nication system reafizing email access control, 
comprising: 

a computer hardware; and 
a computer software for causing the computer 
hardware to issue to each user an identification 
of each user and an enabJer of the identification 
of each user tndfoating a right to change any 
personaSzed access ticket mat contains the 
identification of each user as a holder identifi- 
cation, where the persnalized access ticket 
generally contains a sender's identification and 
a plurality of recipients identifications m corre- 
spondence, and one of the sender's identifica- 
tion and the recipient's identifications is a 
holder identification. 

95. A secure processing device for use in a cxxnmuni- 
catton system realizing email access control, com- 
prising: 

a computer hardware: and 
a computer software for causing the computer 
hardware to receive from a user a request for 
prescribed processing on a personalized 
access ticket containing a sender's identifica- 
tion and a plurality of recipient's identifications 
in correspondence, where one of the sender's 
identtfication and the recipient's fctenttfications 
is a holder identification, and execute the pre- 
scribed processing on the personalized access 
ticket when the user presented both the holder 
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identification contained in the personalized 
access ticket and an enabier corresponding to 
the holder identification which indicates a right 
to change the personalized access ticket con- 
taining the identification of the user as the 
holder identification. 

96. A computer usable medium having computer read- 
able program code means embodied therein for 
causing a computer to function as a secure commu- 
nication service device for use in a communication 
system realizing email access control, the compu- 
ter readable program code means includes: 

first computer readable program code means 
for causing said computer to receive a person- 
alized access ticket containing a sender's iden- 
tification and a retipienfs identification in 
correspondence, which is presented by a 
sender who wishes to send an email to a recip- 
ient so as to specify the recipient as an 
intended destination of the email; and 
second computer readable program code 
means for causing said computer to control 
accesses between the sender and the recipient 
by verifying an access right of the sender with 
respect to the recipient according to the per- 
sonalized access ticket, so as to connect com- 
munications between the sender and the 
receiver on the communication network 



sender and refuse a delivery of the email when the 
sender's identi fi c ati on presented by the sender is 
not contained in the personalized access ticket pre- 
sented by the sender. 

5 

1 0O.The computer usable medium of daim 96. wherein 
the personalized access ticket also contains a vafid- 
rty period indicating a period for which the personal- 
ized access ticket is valid, and the second computer 

10 readable program code means causes said compu- 
ter to check the vafidrty period contained in the per- 
sonalized access ticket presented by the sender 
and refuse a delivery of the email when the person- 
alized access ticket presented by the sender con- 

js tains the validity period that has already been 
expired. 

1 01 .The computer usable medium of claim 96, wherein 
the second computer readable program code 

20 means causes said computer to register in advance 
the personafeed access ticket containing an identi- 
fication of a specSc user from which a delivery of 
emails to a specific registrant is to be refused as the 
sender's identific a t ion and an identification of the 

25 specific registrant as the recipient's klerrtHication, at 
the secure communication service device, and 
refuse a delrvery of the email from the sender when 
the persona&zed access ticket presented by the 
sender is registered at the secure comnuinication 

so service device in advance 



97. The computer usable medium of claim 96, the sec- 
ond computer readable program code means 
causes said computer to authenticate the personal- 
ized access ticket presented by the sender, and 35 
refuse a delivery of the email when the personal- 
ized access ticket presented by the sender has 
been altered. 



102/The computer usable medium of claim 101, 
wherein fee second computer readable program 
code means causes said computer to delete the 
persona&zed access ticket registered at the secure 
communication service device upon request from 
the specific registrant who registered the personal- 
ized access ticket 



98. The computer usable medium of claim 97, wherein 
the personalized access ticket is signed by a secret 
key of a secure processing device which issued the 
personalized access ticket and the second compu- 
ter readable program code means causes said 
computer to authenticate the personalized access 
ticket by verifying a signature of the secure 
processing device in the personalized access ticket 
using a public key of the secure processing device. 

99. The computer usable medium of claim 96. wherein 
the first computer readable program code means 
causes said computer to also receive the sender's 
identification presented by the sender along with 
the personalized access ticket, and the second 
computer readable program code means causes 
said computer to check whether the sender's iden- 
tification presented by the sender is contained in 
the personalized access ticket presented by the 



40 1 03.The computer usable medium of daim 96, wherein 
the personalized access ticket also contains a 
transfer control flag indicating whether or not the 
sender should be authenticated by the secure com- 
munication service device, and when the transfer 

45 control flag contained in the personalized access 
ticket indicates that the sender should be authenti- 
cated, the second computer readable program 
code means causes said computer to authenticate 
the sender's identification presented by the sender 

so and refuse a delivery of the email when an authen- 
tication of the sender s identif ication fails. 

IM.The computer usable medium of claim 103, 
wherein the second computer readable program 
55 code means causes said computer to realize the 
authentication of the sender's identification by a 
challenge/response procedure between the sender 
and the secure communication service device. 
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105. The computer usable medium of daim 96. wherein 
the sender's Identification and the recipient's identi- 
fication in the personalized access ticket are given 
by anonymous ide n ti fi catio ns of the sender and the 
recipient, where an anonymous identification of 5 
each user contains at least one fragment of an offi- 
cial identif ication of each user by which each user is 
uniquely identifiable by a certification authority, and 
the second computer readable program code 
means also causes said computer to probabilrsii- 10 
caliy identify an identity of the sender by recon- 
structing the official identification of the sender by 
judging identity of a plurality of anonymous identifi- 
cations of the sender contained in a plurality of per- 
sonalized access tickets used by the sender. 15 

106. The computer usable medium of claim 96, wherein 
an anonymous identification of each user that con- 
tains at least one fragment of an official identifica- 
tion of each user by which each user is uniquely 20 
identifiable by a certification authority and a link 
information of each anonymous identification by 
which each anonymous identif i c a tion can be 
uniquely identified are denned, the sender's ktentffi- 
cation and the recipient's identification in the per- 25 
sonalized access ticket are given by a link 
information of the anonymous identffication of the 
sender and a link information of the anonymous 
identification of the recipient, and the second com- 
puter readable program code means also causes 30 
said computer to probata I tsticaRy identify an identity 

of the sender by reconstructing the official identifi- 
cation of the sender by judging identity of a plurality 
of anonymous identifications of the sender corre- 
sponding to the link information contained in a plu- 35 
rality of personalized access tickets used by the 
sender. 

107. The computer usable medium of claim 96. wherein 
when the access right of the sender with respect to 40 
the recipient is verified according to the personal- 
ized access ticket, the second computer readable 
program code means causes said computer to take 
out the recipient's identification from the personal- 
ized access ticket by using the sender's identified- 45 
tion presented by the sender, convert the mail by 
using a taken out recipient's identification into a for- 
mat that can be interpreted by a mail transfer func- 
tion for actually carrying out a mail delivery 
processing, and give the mail after conversion to 50 
the mail transfer function by attaching the personal- 
ized access ticket. 

108. A computer usable mecSum having computer read- 
able program code means embocfied therein for 55 
causing a computer to function as a secure 
processing device for use in a communication sys- 
tem realizing email access control, the computer 



readable program code means includes: 

first computer readable program code means 
for causing said computer to receive a request 
for a personalized access ticket from a user; 
and 

second computer readable program code 
means for causing said computer to issue the 
personalized access ticket containing a 
sender's identification and a recipient's identifi- 
cation in correspondence, which ts signed by a 
secret key of foe secure processing device. 

109. A computer usable medium having computer read- 
able program code means embodied therein for 
causing a computer to function as a directory serv- 
ice devicer for use in a communication system real- 
izing email access control, the computer readable 
prog/am code means includes: 

first computer readable program code means 
for causing said computer to manage an identi- 
fication of each registrant and a disclosed infor- 
mation of each registrant which has a lower 
secrecy than a personal information, in a state 
which is accessible for search by unspecified 
many, and 

second computer readable program code 
means for causing said computer to issue a 
personalized acces s ticket containing a 
sender's identification and a recipient's identifi- 
cation m correspondence, to the sender in 
response to search conditions specified by the 
sender, by using an iden tifi ca ti on of a registrant 
whose disclosed information match es the 
search conditions as the recipient's identifica- 
tion and the sender's identification specified by 
the sender along with the search conditions. 

1 10. A computer usable medium having computer read- 
able program code means embodied therein for 
causing a computer to function as a certification 
authority device for use in a communication system 
realizing email access control, the computer reada- 
ble program code means includes: 

first computer readable program code means 
for causing said computer to issue to each user 
an official identification of each user by which 
each user is uniquely identifiable by the certifi- 
cation authority device; and 
second computer readable program code 
means for causing said computer to issue to 
each user an anonymous identification of each 
user which contains at least one fragment of 
the official identification. 

1 11 .A computer usable medium having computer read- 
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able program code means embodied therein for 
causing a computer to function as a certi fi cat i on 
authority device for use in a communication system 
realizing email access control, the computer reada- 
ble program code means includes: s 

first computer readable program code means 
for causing said computer to issue to each user 
an identi fi ca t ion of each user; and 
second computer readable program code w 
means for causing said computer to issue to 
each user an enabler of the identification of 
each user indicating a right to change any per- 
sonalized access ticket thai contains the identi- 
fication of each user as a holder identif ication, is 
where the persnalized access ticket generally 
contains a sender's identification and a pturafity 
of recipient's identifications in correspondence, 
and one of the sender's identification and the 
recipients identifications is a holder identrfica- 20 
ton. 

112^ computer usable rnecBum having computer read- 
able program code means embocSed therein for 
causing a computer to function as a secure zs 
processing device for use in a communication sys- 
tem realizing email access control, the computer 
readable program code means includes: 

first computer readable program code means so 
for causing said computer to receive from a 
user a request for prescribed processing on a 
personalized access ticket containing a 
sender's identif icafion and a plurality of recipi- 
ent's identifications in correspondence, where ss 
one of the sender's identification and the recip- 
ient's kjerr&ftcations is a holder identification; 
and 

second computer readable program code 
means for causing said computer to execute *o 
the prescribed processing on the personalized 
access ticket when the user presented both the 
holder identification contained in the personal- 
ized access ticket and an enabler correspond- 
ing to the holder identification which indicates a as 
right to change the personaBzed access ticket 
containing the identification of the user as the 
holder identification. 
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